CVE-2005-2878

GNU Mailutils 0.6 - Authenticated Remote Code Execution via IMAP SEARCH Command Format String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2005-2878. PoCs published by Xpl017Elz, Angelo Rosiello, Clément Lecigne.

AI-analyzed exploit summary This exploit targets a format string vulnerability in GNU imap4d mailutils-0.6, allowing remote code execution via a crafted 'search' command. It bypasses exec-shield by leaking the address of do_system() and overwriting the .dtors section to execute arbitrary commands (e.g., xterm).

Description

Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Xpl017Elz · cremotelinux
https://www.exploit-db.com/exploits/3787

This exploit targets a format string vulnerability in GNU imap4d mailutils-0.6, allowing remote code execution via a crafted 'search' command. It bypasses exec-shield by leaking the address of do_system() and overwriting the .dtors section to execute arbitrary commands (e.g., xterm).

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: GNU imap4d mailutils-0.6
Auth required
Prerequisites: Valid IMAP credentials · Network access to port 143 · Target running vulnerable imap4d version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Angelo Rosiello · cremotebsd
https://www.exploit-db.com/exploits/1234

This exploit targets a format string vulnerability in GNU Mailutils 0.6 imap4d's 'search' command. It leverages a format string attack to overwrite memory addresses and execute arbitrary shellcode, which spawns a bind shell on port 30464.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Mailutils 0.6 imap4d
Auth required
Prerequisites: Network access to the target imap4d service · Valid login credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Clément Lecigne · cremotelinux
https://www.exploit-db.com/exploits/1209

This exploit targets a format string vulnerability in GNU Mailutils 0.6 imap4d via the 'search' command. It leverages hardcoded addresses for Debian testing (etch) to overwrite the IO_file_close function pointer and execute shellcode, resulting in remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GNU Mailutils 0.6 imap4d
Auth required
Prerequisites: Network access to the IMAP service · Valid credentials for authentication
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/17020
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200509-10.xml
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/16783
Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_idefense
http://www.idefense.com/application/poi/display?id=303&type=vulnerabilities&flashstatus=true
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2005/dsa-841
Mailing List mailing-list x_refsource_bugtraq
http://marc.info/?l=bugtraq&m=112785181316043&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/14794

Scores

EPSS 0.1457
EPSS Percentile 96.2%

Details

Status published
Products (1)
gnu/mailutils 0.6
Published Sep 13, 2005
Tracked Since Feb 18, 2026