[15696] in bugtraq
Out of order SMTP DATA commands incorrectly allow pass-through
daemon@ATHENA.MIT.EDU (Lincoln Yeoh)
Mon Jul 10 02:21:39 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000709051719.00832e20@192.228.128.13>
Date: Sun, 9 Jul 2000 05:17:19 +0800
Reply-To: Lincoln Yeoh <lyeoh@POP.JARING.MY>
From: Lincoln Yeoh <lyeoh@POP.JARING.MY>
To: BUGTRAQ@SECURITYFOCUS.COM
Hi people,
Issue: Out of order SMTP DATA commands incorrectly allow pass-through mode
in some firewall smtp filters/proxies.
I first found this sometime in 1996 (can't remember exact date- long time
ago :) ), and notified the relevant firewall vendor. After about 4
generations it's still not fixed in some versions even today, they did try
to patch it a few times but were unsuccessful. I do not have access to the
latest versions to check. I recently noticed that another screen/firewall
seems to have a similar problem - was trying to confirm an email address.
Not sure if other firewalls are vulnerable.
Basically if you wish to send arbitrary stuff to a mailserver protected by
a vulnerable firewall's smtp proxy, what you do is send a DATA command
followed by the stuff you want to send, all in the same tcp/ip packet,
immediately on connection (before you even get the 220 response).
e.g.
<begin packet>
DATA
VERB
EXPN postmaster
.
<end packet>
You may have to send consecutive DATA commands to get it to work
e.g
<begin packet>
DATA
DATA
VERB
EXPN postmaster
.
<end packet>
Note: In some versions you require the end . to receive the response.
In a recent case I found, you're not required to put stuff all in the same
packet. All you need to do is issue a DATA command. There appears to be a
timeout but just reissue the DATA again and you're back to pass-through mode.
Workaround: Make sure you are running a secure and reliable mail server, or
use a better smtp proxy.
Cheerio,
Link.
