Cyrus IMAP pop3d popsubfolders buffer overflow

Added: 10/30/2008
CVE: CVE-2006-2502
BID: 18056
OSVDB: 25853

Background

Cyrus IMAP is an open-source IMAP, POP3, and KPOP server. The popsubfolders configuration option allows POP3 users to access subfolders by specifying the subfolder name when logging in.

Problem

When the popsubfolders configuration option is enabled, a buffer overflow in the USER command allows remote attackers to execute arbitrary commands.

Resolution

Upgrade to Cyrus IMAP 2.3.4 or higher.

References

http://www.frsirt.com/english/advisories/2006/1891

Limitations

Exploit works on Cyrus IMAP 2.3.2 on Red Hat Enterprise Linux 4 if POP3 is enabled with the popsubfolders configuration setting.

In order for the exploit to succeed, code execution on the stack must be enabled for the pop3d executable file.

Platforms

Red Hat

Back to exploit index