Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0671 to the following vulnerability: Format string vulnerability in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit imap-2007d and other applications, allows remote attackers to execute arbitrary code via format string specifiers in the initial request to the IMAP port (143/tcp). References: http://packetstormsecurity.org/0902-exploits/uwimap-format.txt http://www.securityfocus.com/bid/33795 http://xforce.iss.net/xforce/xfdb/48798
Official statement was published on the Nist's NVD site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0671 Disputed: The Red Hat Security Response Team have been unable to confirm the existence of this format string vulnerability in the toolkit, and the sample published exploit is not complete or functional. This issue was investigated by Red Hat and upstream and we were unable to identify a specific flaw based on the published exploit. Exploit code is broken and does not even compile. Additionally, it seems to be a merge of two or more previous exploits, format string was copied verbatim from: http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/exploits/Nightmare.c While it's unclear whether the exploit was intentionally crippled to hide real flaw, or it was fake from the beginning, we were not able to identify any format string issues that would affect UW imapd as suggested by the published exploit. Additional sources report that similarly broken fake exploits were published in the past, crediting same author. CVE id should be marked rejected by Mitre in the near future.