CVE-1999-0920

University of Washington IMAP - Buffer Overflow via POP-2D FOLD Command

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-1999-0920. PoCs published by Chris Evans, aushack, including Metasploit module auxiliary/admin/pop2/uw_fileretrieval.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in pop2d version 4.4 or earlier, allowing remote attackers to execute arbitrary code as the 'nobody' user via a crafted FOLD command. The exploit includes shellcode to spawn a shell and is designed to be used in conjunction with an IMAP server.

Description

Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Chris Evans · cremotelinux

https://www.exploit-db.com/exploits/19226

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in pop2d version 4.4 or earlier, allowing remote attackers to execute arbitrary code as the 'nobody' user via a crafted FOLD command. The exploit includes shellcode to spawn a shell and is designed to be used in conjunction with an IMAP server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: pop2d version 4.4 or earlier

Auth required

Prerequisites: Access to an IMAP server · Valid user credentials for the IMAP server

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

by aushack · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/pop2/uw_fileretrieval.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in the University of Washington ipop2d service (CVE-1999-0920) by abusing the FOLD command to retrieve arbitrary files readable by the POP account's user ID. It requires valid credentials and interacts with the POP2 protocol to fetch file contents.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: University of Washington ipop2d

Auth required

Prerequisites: Valid POP account credentials · Target file must be world or group readable by the POP account's user ID

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/283

Scores

EPSS 0.7354

EPSS Percentile 98.8%

Details

Status published

Products (2)

university_of_washington/imap 4.4

university_of_washington/pop2d

Published May 26, 1999

Tracked Since Feb 18, 2026