Carnegie Mellon University Cyrus IMAP Server up to 2.2.4 stack-based overflow
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 9.4 | $0-$5k | 0.00 |
Summary
A vulnerability classified as critical has been found in Carnegie Mellon University Cyrus IMAP Server up to 2.2.4. This impacts an unknown function. This manipulation causes stack-based overflow. The identification of this vulnerability is CVE-2004-1011. Furthermore, there is an exploit available.
Details
A vulnerability was found in Carnegie Mellon University Cyrus IMAP Server up to 2.2.4. It has been declared as very critical. Affected by this vulnerability is some unknown processing. The manipulation with an unknown input leads to a stack-based overflow vulnerability. The CWE definition for the vulnerability is CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Stack-based buffer overflow in Cyrus IMAP Server 2.2.4 through 2.2.8, with the imapmagicplus option enabled, allows remote attackers to execute arbitrary code via a long (1) PROXY or (2) LOGIN command, a different vulnerability than CVE-2004-1015.
The bug was discovered 11/23/2004. The weakness was shared 01/10/2005 by Stefan Esser with eMatters (Website). It is possible to read the advisory at xforce.iss.net. This vulnerability is known as CVE-2004-1011 since 11/04/2004. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details are unknown but a public exploit is available. The pricing for an exploit might be around USD $0-$5k at the moment (estimation calculated on 06/05/2019).
A public exploit has been developed in ANSI C. It is possible to download the exploit at securityfocus.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 14 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 15923 (SUSE-SA:2004:043: cyrus-imapd), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks.
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. Attack attempts may be identified with Snort ID 1842. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 3344.
The vulnerability is also documented in the databases at X-Force (18198), Tenable (15923), SecurityFocus (BID 11729†), OSVDB (12096†) and Secunia (SA13274†). The entries VDB-21897, VDB-23675, VDB-23662 and VDB-23661 are related to this item. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
Version
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 10.0VulDB Meta Temp Score: 9.4
VulDB Base Score: 10.0
VulDB Temp Score: 9.4
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Stack-based overflowCWE: CWE-121 / CWE-119
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 15923
Nessus Name: SUSE-SA:2004:043: cyrus-imapd
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 52294
OpenVAS Name: FreeBSD Ports: cyrus-imapd
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Snort ID: 1842
Snort Message: PROTOCOL-IMAP login buffer overflow attempt
Snort Class: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
SourceFire IPS: 🔍
Fortigate IPS: 🔍
Timeline
11/04/2004 🔍11/23/2004 🔍
11/23/2004 🔍
11/23/2004 🔍
11/28/2004 🔍
12/07/2004 🔍
01/10/2005 🔍
01/10/2005 🔍
03/10/2015 🔍
06/05/2019 🔍
Sources
Advisory: xforce.iss.netResearcher: Stefan Esser
Organization: eMatters
Status: Not defined
Confirmation: 🔍
CVE: CVE-2004-1011 (🔍)
GCVE (CVE): GCVE-0-2004-1011
GCVE (VulDB): GCVE-100-23659
X-Force: 18198
SecurityFocus: 11729 - Cyrus IMAPD Multiple Remote Vulnerabilities
Secunia: 13274
OSVDB: 12096 - Cyrus IMAP username buffer overflow
Vulnerability Center: 6206 - Cyrus IMAP Server 2.2.4 - 2.2.8 Allows Code Execution and DoS via PROXY and LOGIN Commands, High
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 03/10/2015 12:14Updated: 06/05/2019 15:03
Changes: 03/10/2015 12:14 (81), 06/05/2019 15:03 (6)
Complete: 🔍
Cache ID: 216:39A:103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.