<< Previous Next >>
SMTP server
* Aron Andersson and Jan Sahlin of Bitsec reported boundary errors in
the "tmail" and "dmail" utilities when processing overly long mailbox
names, leading to stack-based buffer overflows (CVE-2008-5005).
* An error in smtp.c in the c-client library was found, leading to a
NULL pointer dereference vulnerability (CVE-2008-5006).
* Ludwig Nussel reported an off-by-one error in the
rfc822_output_char() function in the RFC822BUFFER routines in the
c-client library, as used by the UW IMAP toolkit (CVE-2008-5514).
Problem Description:
A vulnerability has been found and corrected in postfix:
The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10,
2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL
authentication methods are enabled, does not create a new server handle
after client authentication fails, which allows remote attackers to
cause a denial of service (heap memory corruption and daemon crash)
or possibly execute arbitrary code via an invalid AUTH command
Vulnerability Report:
As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
Impact:
All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
On Wed, 7 May 2008 pablo.ximenes@upr.edu wrote:
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
> y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
>
> Impact:
>
> All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
VUPEN Security discovered two critical vulnerabilities affecting Novell
GroupWise 8.x and 7.x.
The first issue is caused due to a buffer overflow error in the Novell
GroupWise Internet Agent (GWIA) when processing specially crafted
email addresses via SMTP, which could be exploited by remote
unauthenticated attackers to execute arbitrary code with SYSTEM
privileges.
The second vulnerability is caused due to a buffer overflow error in
the Novell GroupWise Internet Agent (GWIA) when processing certain
_______________________________________________________________________
Problem Description:
Two vulnerabilities were discovered in Wireshark. The first is a
vulnerability in the SMTP dissector that could cause it to consume
excessive CPU and memory via a long SMTP request (CVE-2008-5285).
The second is an issue with the WLCCP dissector that could cause it
to go into an infinite loop.
Package description:
fetchmail
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.
quagga
Quagga is a free software that manages TCP/IP based routing protocol.
https://issues.rpath.com/browse/RPL-1690
Description:
Previous versions of the fetchmail package may crash when attempting
to deliver an internal warning or error message through an untrusted
or compromised SMTP server, leading to a possible Denial of Service.
Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
on MD5 collisions. As fetchmail supports the APOP protocol, this
vulnerability can be used by attackers to discover a portion of the APOP
user's authentication credentials. (CVE-2007-1558)
Earl Chew discovered that fetchmail can be made to de-reference a NULL
pointer when contacting SMTP servers. This vulnerability can be used
by attackers who control the SMTP server to crash fetchmail and cause
a denial of service. (CVE-2007-4565)
Updated packages for Ubuntu 6.06 LTS:
Problem Description:
A vulnerability in fetchmail was found where it could crash when
attempting to deliver an internal warning or error message through an
untrusted or compromised SMTP server, leading to a denial of service.
Updated packages have been patched to prevent these issues.
_______________________________________________________________________
References:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Netware Groupwise SMTP daemon.
Authentication is not required to exploit this vulnerability.
The specific flaw exists during the parsing of malformed RCPT verb
arguments to the SMTP daemon. When an overly long e-mail address is
received an off-by-one condition is triggered which minimally will cause
Hello,
the reported vulnerability allows logins to mail and probably other
services protected by plesk authentication modules on at least the
current Plesk 8.6.0 Unix/Linux and could eg. be used for relaying spam
through gained smtp auth priviledges.
Only systems which allow short mail login names (SHORTNAMES=1) are
affected, which is not the default but is eg. effective after migrating
from Confixx control panel or by administrators manual choice.
My curent advice is to disable short login names through control panel
dst addresses and things like that). Using the dst address means that
sometimes you get mac addresses of wifi devices that are not near you,
but I think gives you information about the wifi 'infrastructure',
again, I think :).
-gathers 'useful' information from unencrypted wifi traffic (ala
Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http
cookies/authinfo, msn messages,ftp credentials, telnet network
traffic, nbt, etc.
-and I think that's it.
Requirements:
> them to open files, just send off a rootkit. But let's ignore that for
> now- let's pretend that somehow this is a magic attack-- This is where
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
> >> I am happy to announce the immediate availability of a web based email
> >> security testing tool at http://www.ismymailsecure.com. The tool is an
> >> end-user friendly way to determine if the mail servers for a certain
> >> email address support the STARTTLS capability to encrypt the email
> >> transfer between servers. While most email providers have frontends that
> >> use encryption, the actual email transfers via SMTP are often not secure
> >
> > It seems not check if certificate returned is signed by trusted CA.
/ Kari Hurtta
vulnerable installations of Sybase OneBridge Mobile Data Suite.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the iMailGatewayService server process
(ECTrace.dll) which listens for encrypted requests by default on TCP
port 993 (IMAP) and port 587 (SMTP). The process fails to properly
sanitize malformed user string inputs before passing to the
authentication logging function. By providing a specially crafted string
with format specifiers this can be leveraged to trigger a format string
vulnerability which can lead to arbitrary code execution in the context
of the server process.
> The mail addresses can only be stored if the server through which the
> mail is relayed (or on which it originates) falls under the law. I'd
> presume that's not a significant percentage of all mails sent out from
> any country.
>
> Of course, it's also possible to track (snoop) all SMTP traffic on the
> network, but that's totally different from just keeping mail and AAA
> server logs and from my understanding that's not what this law
> mandates.
>
> Regards,
NVD NIST: ID requested but no answer received
OSVDB: ID requested but no answer received
Summary:
SimpGB is a guestbook with data stored in MySQL, administration interface and support for multiple languages.
Security problem in the product can be exploited by attackers to get access to sensitive information such as database information, program settings, program paths, information about sessions, cookies, smtp.
Advisory URL:
http://www.netvigilance.com/advisory0066
Release Date:
Background
==========
SquirrelMail is a webmail package written in PHP. It supports IMAP and
SMTP protocols.
Affected packages
=================
-------------------------------------------------------------------
1) Introduction
===============
MailEnable is a mail server for Windows which supports various
protocols like SMTP, POP3, IMAP, webmail and a HTTPMail service.
#######################################################################
=======
1. Background
=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents. It supports SSL and TLS security layers through
the OpenSSL library, if enabled at compile time and if also enabled at
run time.
A security vulnerability has been identified and fixed in sendmail:
sendmail before 8.14.4 does not properly handle a '\0' (NUL)
character in a Common Name (CN) field of an X.509 certificate, which
(1) allows man-in-the-middle attackers to spoof arbitrary SSL-based
SMTP servers via a crafted server certificate issued by a legitimate
Certification Authority, and (2) allows remote attackers to bypass
intended access restrictions via a crafted client certificate issued by
a legitimate Certification Authority, a related issue to CVE-2009-2408
(CVE-2009-4565).
> them to open files, just send off a rootkit. But let's ignore that for
> now- let's pretend that somehow this is a magic attack-- This is where
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
> them to open files, just send off a rootkit. But let's ignore that for
> now- let's pretend that somehow this is a magic attack-- This is where
> security-in-depth comes in, and where the overall context of your post
> is incorrect:
>
> First off, you block .rdp files at the SMTP gateway (that by itself is
> security in depth). Secondly, normal domain users don't RDP to external
> hosts, so there would never be an allow rule for outbound RDP. Even if
> there was some need for off-lan RDP traffic from users, it would be on a
> host-by-host basis and managed by the firewalls. That, again, is
> security in depth.
Insufficient Anti-automation:
http://site/xampp/mailform.php
During access to admin panel and if SMTP Service (Mercury Mail) is turned on
it's possible to send spam due to lack of protection from automated
requests.
Vulnerable are XAMPP 1.6.8 and previous versions. And potentially next
versions (including last version XAMPP 1.7.1).
conduct symlink attacks that overwrite arbitrary files.
CVE-2011-0411
The STARTTLS implementation does not properly restrict I/O
buffering, which allows man-in-the-middle attackers to insert
commands into encrypted SMTP sessions by sending a cleartext
command that is processed after TLS is in place.
CVE-2011-1720
A heap-based read-only buffer overflow allows malicious
clients to crash the smtpd server process using a crafted SASL
applications, and this is a well-known and documented behavior that
is a part of accepted standards.
Now, I do think it would be nice to have a reliable indication of
the target URL, but it's an existential complaint along the lines of
"gee, I wish SMTP had been designed to make spamming hard". One can
get involved to come up with new standards to fix it in the timeframe
of next 10-20 years, but it's counterproductive to bash Firefox.
2) Unlike in the example in my followup, in the test case you provided,
it cannot be said that the browser failed to provide an accurate
Affected products :
~~~~~~~~~~~~~~~~~~~
- Symantec Mail Security for Domino
- Symantec Mail Security for Microsoft Exchange
- Symantec Mail Security for SMTP
- Symantec Brightmail Gateway
- Symantec AntiVirus for Network Attached Storage
- Symantec AntiVirus for Caching
- Symantec AntiVirus for Messaging
- Symantec Protection for SharePoint Servers
> From: <pablo.ximenes@upr.edu>
> Date: 7 May 2008 20:37:46 -0000
> To: <bugtraq@securityfocus.com>
> Subject: Exploiting Google MX servers as Open SMTP Relays
>
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email
>
> If a lot of IP sources attack you from China RIGHT NOW, and you
> need immediate mitigation, blocking China short-term may work,
> but obviously not as a permanent solution.
Of course. You can apply the sets without blocking. In fact, I recommend that FIRST in the article. That way you can report on and analyze traffic from sources to make your own decisions on an ongoing basis. When the time comes, you can change your policy as needed. I currently block traffic from Russia, but I might start allowing in SMTP since this Anastasia chick I get emails from on my other address seems pretty hot. :)
>
> As to "getting rid" or "refusing to connect with" networks with
> extremely bad reputation, that may be quite acceptable on an individual
<<Previous Next>>
|
