GEN:SID 1:1845
Message IMAP list literal overflow attempt
Summary This event is generated when a remote attacker sends an IMAP LIST command with a malformed and overly long argument to an internal IMAP server port. This may indicate an attempt to exploit a buffer overflow vulnerability in the IMAP LIST command.
Impact Possible shell access on the IMAP server, leading to arbitrary code execution. The attacker must have a valid IMAP account on the mail server to attempt this exploit.
Detailed Information When a LIST command with an overly long argument is sent to a vulnerable IMAP server, a buffer overflow condition may occur. This can allow an attacker to execute arbitrary code from the command shell. Note that this exploit can only be attempted by a user with a valid IMAP account.
Affected Systems Any operating system running University of Washington imapd versions 10.234 or 12.264.
Attack Scenarios An attacker with an IMAP account on the server can send a sufficiently long LIST command to the IMAP server, creating a buffer overflow condition. This can then allow the attacker to gain shell access on the compromised server, possibly leading to the execution of arbitrary code.
Ease of Attack Simple. Exploits exist, but the user must have a valid IMAP account on the server.
Corrective Action Apply the patch for your current version of imapd appropriate to your operating system.
Additional References Bugtraq
http://www.securityfocus.com/bid/1110
Rule References bugtraq: 1110
cve: 2000-0284
nessus: 10374