| New User, Welcome! Login |
Next Page >>
SMTP Server
[On-line version will be at http://www.postfix.org/CVE-2011-1720.html]
Summary
=======
The Postfix SMTP server has a memory corruption error when the Cyrus
SASL library is used with authentication mechanisms other than PLAIN
and LOGIN (the ANONYMOUS mechanism is unaffected but should not be
enabled for different reasons). See below for instructions to
determine what systems are affected.
This is a writeup about a flaw that I found recently, and that
existed in multiple implementations of SMTP (Simple Mail Transfer
Protocol) over TLS (Transport Layer Security) including my Postfix
open source mailserver. I give an overview of the problem and its
impact, how to find out if a server is affected, fixes, and draw
lessons about where we can expect similar problems. A time line
is at the end.
For further reading:
http://www.kb.cert.org/vuls/id/555316
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://corelabs.coresecurity.com/
Windows SMTP Service DNS query Id vulnerabilities
1. *Advisory Information*
========
WinGate by Qbik IP Management Limited is a sophisticated gateway and
server product used in over 600,000 networks across the globe. More
information about WinGate can be found here: www.wingate.com
WinGate provides a number of network services including an SMTP server
for email. It is this SMTP server component that is vulnerable to a
remotely exploitable format string vulnerability that can lead to a
remote DoS attack, resulting in the entire WinGate service being
terminated. The result of the WinGate service being terminated in such a
fashion is that none of the many network services it provides will be
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01915145
Version: 2
HPSBOV02470 SSRT080123 rev.2 - HP TCP/IP Services for OpenVMS Running SMTP Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-11-14
Last Updated: 2011-11-14
So I looked at this integer overflow and I thought to myself what exactly I'd
find this useful for. The answers I came up with were:
* Getting idiot Mac-using creative people at bulk mailing companies to click
on links which spew SMTP envelopes at their internal mailserver, thereby
utilizing someone else's email reputation to send CPA offers of my own.
* Bruteforcing device passwords via a wordlist and then phoning home
* Reflashing network devices with firmware more fun than the factory default
* Relay exploit payloads to non-HTTP daemons on arbitrary TCP ports
* Get a Safari web browser to do pretty much anything on any TCP port and not
#
# Eureka Mail Client Remote Buffer Overflow Exploit XP SP3 English Egghunter Edition
# Coded By: k4mr4n_st@yahoo.com
# Found By: k4mr4n (Securitylab.ir Member)
# Tested On: Windows XPSP3 English
# Note: This script sets up a fake SMTP server
# Note: Set the client to this address and check your mail
#
##########################################################
import sys, socket
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01915145
Version: 1
HPSBOV02470 SSRT080123 rev.1 - HP TCP/IP Services for OpenVMS Running SMTP Server, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-11-03
Last Updated: 2011-11-03
1. Background
=============
fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.
fetchmail ships with a graphical, Python/Tkinter based configuration
utility named "fetchmailconf" to help the user create configuration (run
control) files for fetchmail.
<sarcasm tagfor=oblivoious>
Yeh, but what if I want you to justify your decisions in the context of my perceptions?
You don't find it reasonable that because you wish to share your efforts for free that they should serve my needs as well?
</sarcasm>
For the record, I tried Tim's blocklists and because I use an external spam-catcher and therefore accept mail only from them or specific hosts, I can statistically validate the statement that the sources of SMTP connection attempts that ignore my MX record are coming from a large percentage of the IPs Tim assembled, with the majority coming from east Asia (China & Korea being the most active).
It's a fair bet that any SMTP connection attempts that fail to agree with your MX record are "less than trustworthy".
Jim
> why security in depth is required. For example-- Back in January of
> 2003 (where has the time gone?) I published an article on Security Focus
> discussing how to secure Exchange Server deployments.
> (http://www.securityfocus.com/infocus/1654 if you want to check up on
> me). I would draw your attention to this excerpt in regard to using
> ISA's SMTP application filter to inspect SMTP traffic:
>
> "Though we are filtering the command set through the ISA server, it is
> the element of the unknown that concerns me: we just don't know what
> vulnerabilities the future may present, and the possibility of a
> compromised Exchange server is just too much of a risk."
%programfiles%\ecan-web and mail filter\consctl.exe
3.) Affected applications:
----------------------
MailScan for Mail-Server 5.6a
MailScan for SMTP Server 5.6a
Corresponding binaries:
-----------------------
%programfiles%\mailscan\mailserv.exe
%programfiles%\mailscan\trayico.exe
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
A full list of all countries' ISA .xml for ISA 2006 is available here:
Verification........................................................10
======================================================================
1) Affected Software
* Symantec Mail Security for SMTP 5.0.1 p187
* Symantec Mail Security for Exchange 5.0.7.373
* Symantec Mail Security for Domino 7.5.0.19
NOTE: Other versions may also be affected.
======================================================================
Secunia Research 13/09/2010
- MailEnable SMTP Service Two Denial of Service Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Verification........................................................10
======================================================================
1) Affected Software
* Symantec Mail Security for SMTP 5.0.1 p187
* Symantec Mail Security for Exchange 5.0.7.373
* Symantec Mail Security for Domino 7.5.0.19
NOTE: Other versions may also be affected.
why security in depth is required. For example-- Back in January of
2003 (where has the time gone?) I published an article on Security Focus
discussing how to secure Exchange Server deployments.
(http://www.securityfocus.com/infocus/1654 if you want to check up on
me). I would draw your attention to this excerpt in regard to using
ISA's SMTP application filter to inspect SMTP traffic:
"Though we are filtering the command set through the ISA server, it is
the element of the unknown that concerns me: we just don't know what
vulnerabilities the future may present, and the possibility of a
compromised Exchange server is just too much of a risk."
Package description:
fetchmail
Fetchmail is a remote mail retrieval and forwarding utility intended
for use over on-demand TCP/IP links, like SLIP or PPP connections.
Fetchmail supports every remote-mail protocol currently in use on the
Internet (POP2, POP3, RPOP, APOP, KPOP, all IMAPs, ESMTP ETRN, IPv6,
and IPSEC) for retrieval. Then Fetchmail forwards the mail through
SMTP so you can read it through your favorite mail client.
quagga
Quagga is a free software that manages TCP/IP based routing protocol.
Apparently this SMTP server crashes when creating a mail poorly trained causing a denial of service.
Proof-of-concept
HELO ../A/ * 950
MAIL FROM: ../A/ * 950
RCPT TO: ../A/ * 950
data
../A/ * 950
.
VUPEN Security discovered two critical vulnerabilities affecting Novell
GroupWise 8.x and 7.x.
The first issue is caused due to a buffer overflow error in the Novell
GroupWise Internet Agent (GWIA) when processing specially crafted
email addresses via SMTP, which could be exploited by remote
unauthenticated attackers to execute arbitrary code with SYSTEM
privileges.
The second vulnerability is caused due to a buffer overflow error in
the Novell GroupWise Internet Agent (GWIA) when processing certain
Problem Description:
A vulnerability in fetchmail was found where it could crash when
attempting to deliver an internal warning or error message through an
untrusted or compromised SMTP server, leading to a denial of service.
Updated packages have been patched to prevent these issues.
_______________________________________________________________________
References:
https://issues.rpath.com/browse/RPL-1690
Description:
Previous versions of the fetchmail package may crash when attempting
to deliver an internal warning or error message through an untrusted
or compromised SMTP server, leading to a possible Denial of Service.
- ---
Copyright 2007 Foresight Linux Project
Portions copyright 2007 rPath Inc.
Vulnerability Report:
As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
Impact:
All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
* Archived/compressed files: Win ZIP, RAR, TAR, JAR, ARJ, 7Z, RPM, CPIO,
GZIP,
BZIP2, Unix/Linux ZIP, LZH, etc.
Network/Applications Controlled
* Email: Microsoft Outlook, Lotus Notes and SMTP Email
* Web mail: MSN/Hotmail, Yahoo, GMail, AOL Mail, and more
* Instant Messaging: MSN, AIM, Yahoo, and more
* Network Protocols: FTP, HTTP/HTTPS and SMTP Endpoint Devices Controlled
* USB, CD/DVD, COM & LPT ports, removable disks, floppy, infrared and
imaging
Problem Description:
A vulnerability has been found and corrected in postfix:
The SMTP server in Postfix before 2.5.13, 2.6.x before 2.6.10,
2.7.x before 2.7.4, and 2.8.x before 2.8.3, when certain Cyrus SASL
authentication methods are enabled, does not create a new server handle
after client authentication fails, which allows remote attackers to
cause a denial of service (heap memory corruption and daemon crash)
or possibly execute arbitrary code via an invalid AUTH command
ZDI-11-049: IBM Lotus Domino SMTP Multiple Filename Arguments Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-049
February 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see: http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ibm
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
1. General Information
On Nov 2008, Security Vulnerability Research Team of Bkis (SVRT-Bkis) has
detected a vulnerability underlying WireShark 1.0.4 (lastest version).
The flaw is in the function processing SMTP protocol and enables hacker to
perform a DoS attack by sending a SMTP request with large content to port
25. The application then enter a large loop and cannot do anything else.
We have contacted the vendor of Wireshark. They fixed this vulnerability for
Wireshark 1.0.5 but they haven't released the official version yet. Details
* avast! 4 Server Edition(impact high, complete bypass)
* avast! 4 Server Edition Plug-ins
* avast! 4 Exchange Server Edition (impact high, complete bypass)
* avast! 4 ISA Server Edition (impact high, complete bypass)
* avast! 4 SharePoint Server Edition (impact high, complete bypass)
* avast! 4 SMTP Server Edition (impact high, complete bypass)
* avast! 4 Lotus Domino Edition (impact high, complete bypass)
* avast! Distributed Network Manager (impact high, complete bypass)
* avast! 4 Professional (impact unknown)
* avast! 4 BART CD (impact unknown)
* avast! for Linux/Unix Server (impact high, complete bypass)
Hello,
the reported vulnerability allows logins to mail and probably other
services protected by plesk authentication modules on at least the
current Plesk 8.6.0 Unix/Linux and could eg. be used for relaying spam
through gained smtp auth priviledges.
Only systems which allow short mail login names (SHORTNAMES=1) are
affected, which is not the default but is eg. effective after migrating
from Confixx control panel or by administrators manual choice.
My curent advice is to disable short login names through control panel
On Wed, 7 May 2008 pablo.ximenes@upr.edu wrote:
>
> Vulnerability Report:
>
> As part of our recent work on the trust hierarchy that exists among email providers throughout the Internet, we have uncovered a serious security flaw in Ggoogle's free email service, Gmail. This vulnerability exposes Google's email servers in a way that allows an attacker to use them as open spam and phishing relays. This issue is related to the risk of a malicious user abusing Gmail's email forwarding functionality. This is possible because Gmail's email forwarding functionality does not impose proper security restrictions during its setup process and can be easily subverted. By exploiting this problem an attacker can send unlimited spam and phishing (i.e. forged) email messages that are delivered by Google's very own SMTP servers. Since the messages are delivered by Google's own servers, an attack based on this flaw is able to bypass all spam filters that are based on the blacklist / whitelist concept. We were able to confirm that this vulnerability is indeed exploitable b
> y crafting a proof of concept attack that allowed us to send any number of forged email messages without restriction through Google's server infrastructure. We have also verified that this flaw allows attackers to bypass spam filters by using our method to send messages that are usually flagged as spam. While sending these messages directly from our network in the traditional way had the messages classified as spam, by sending the very same messages using our exploit, the messages were delivered directly to the victim's inbox, thus bypassing filters.
>
> Impact:
>
> All email providers that offer Google's SMTP servers any special level of trust (e.g. whitelist status) are vulnerable.
Next Page>>
|
|
|
