{"uuid": "48fc9575-94ce-4db9-9b21-8bbeaca69fcc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2019-11500", "type": "published-proof-of-concept", "source": "https://t.me/tech_b0lt_Genona/921", "content": "CVE-2019-11500: Critical vulnerability in Dovecot and Pigeonhole\n\nVulnerability Details:\n\nIMAP and ManageSieve protocol parsers do not properly handle NUL byte\nwhen scanning data in quoted strings, leading to out of bounds heap\nmemory writes.\n\nRisk:\n\nThis vulnerability allows for out-of-bounds writes to objects stored on\nthe heap up to 8096 bytes in pre-login phase, and 65536 bytes post-login\nphase, allowing sufficiently skilled attacker to perform complicated\nattacks that can lead to leaking private information or remote code\nexecution. Abuse of this bug is very difficult to observe, as it does\nnot necessarily cause a crash. Attempts to abuse this bug are not\ndirectly evident from logs.\n\nSteps to reproduce:\n\nThis bug is best observed using valgrind to see the out of bounds read\nwith following snippet:\n\nperl -e 'print \"a id (\\\"foo\\\" \\\"\".(\"x\"x1021).\"\\\\A\\\" \\\"bar\\\"\n\\\"\\000\".(\"x\"x1020).\"\\\\A\\\")\\n\"' | nc localhost 143\n\nhttps://dovecot.org/pipermail/dovecot/2019-August/116873.html", "creation_timestamp": "2019-08-29T15:20:34.000000Z"}