Sonicwall Signatures


  All Categories

Category: IMAP

IMAP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to attacks on IMAP servers. IMAP or Internet Message Access Protocol is a standard protocol for accessing mail on a remote server from a local client. It allows users to use a mail client to manipulate messages while they are still on the server in contrast to the POP protocol which requires users to download messages to their local client before manipulating them. IMAP server accept and send a set of standardized commands to serve e-mail messages to clients. Unfortunately, attackers have found a number of ways to manipulate these commands to exploit vulnerabilities in many versions of IMAP server software, causing the software to malfunction. These attacks can crash the server, provide attackers access to sensitive information, or allow them to completely take control of the server.

Attackers attack IMAP servers using buffer overflow attacks. These attacks involve a hacker sending a command with an overly long argument to an IMAP server, causing the server to mishandle the request, and possibly execute code of the attacker's choice. For example, if an authenticated user sends a LIST command with an overly long argument to the server, several versions of IMAP server software will mishandle the command and potentially allow attackers gain control over the server. Once in control, attackers can corrupt mailboxes, steal information, or use the server for their own ends. Even if such an attack fails to grant attackers control of a server, it will most likely crash the machine, shutting down e-mail access to all users on the server.

Because most of the attacks on IMAP server that have a relatively high probability of success require attackers to be authenticated by the system first, these attacks do not represent a serious threat. SonicWALL IMAP signatures are classified as low-priority, and are by default set to detect and altert administrators of suspicious IMAP activity.

  Malformed IMAP AUTHENTICATE Command 1
  Malformed IMAP LIST Command 1
  Malformed IMAP FIND Command
  Malformed IMAP CREATE Command
  Malformed IMAP Request 1
  Malformed IMAP AUTHENTICATE Command 2
  Malformed IMAP DELETE Command
  Malformed IMAP LIST Command 2
  Malformed IMAP SELECT Command 2
  Malformed IMAP LOGIN Command 2
  Malformed IMAP EXAMINE Command
  Malformed IMAP SELECT Command 3
  Malformed IMAP SEARCH Command 1
  Microsoft Outlook MONIKERLINK Security Feature Bypass
  Microsoft Outlook MONIKERLINK Security Feature Bypass 2
  Malformed IMAP Request 2
  MailEnable IMAPD LOGIN Command Buffer Overflow
  Malformed IMAP SELECT Command 1
  Malformed IMAP LOGIN Command 1
  Malformed IMAP STATUS Command
  Malformed IMAP SUBSCRIBE Command
  Malformed IMAP SEARCH Command 2
  Malformed IMAP FETCH Command
  Perdition IMAP Proxy str_vwrite Format String Attack
  Malformed IMAP RENAME Command
  HCL Domino Mailbox Name Buffer Overflow
  Dovecot Quoted String Remote Code Execution 1
  Dovecot Quoted String Remote Code Execution 2
  IMAP Toolkit imap_open Remote Code Execution
  Microsoft Outlook Email Invite Information Disclosure

Relevant Information