Bugtraq mailing list archives
Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies
From: lyeoh () POP JARING MY (Lincoln Yeoh)
Date: Sun, 9 Jul 2000 05:17:19 +0800
Hi people, Issue: Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies. I first found this sometime in 1996 (can't remember exact date- long time ago:) ), and notified the relevant firewall vendor. After about 4 generations it's still not fixed in some versions even today, they did try to patch it a few times but were unsuccessful. I do not have access to the latest versions to check. I recently noticed that another screen/firewall seems to have a similar problem - was trying to confirm an email address. Not sure if other firewalls are vulnerable. Basically if you wish to send arbitrary stuff to a mailserver protected by a vulnerable firewall's smtp proxy, what you do is send a DATA command followed by the stuff you want to send, all in the same tcp/ip packet, immediately on connection (before you even get the 220 response). e.g. <begin packet> DATA VERB EXPN postmaster . <end packet> You may have to send consecutive DATA commands to get it to work e.g <begin packet> DATA DATA VERB EXPN postmaster . <end packet> Note: In some versions you require the end . to receive the response. In a recent case I found, you're not required to put stuff all in the same packet. All you need to do is issue a DATA command. There appears to be a timeout but just reissue the DATA again and you're back to pass-through mode. Workaround: Make sure you are running a secure and reliable mail server, or use a better smtp proxy. Cheerio, Link.
Current thread:
- ftpd and setproctitle() Theo de Raadt (Jul 06)
- Re: ftpd and setproctitle() Kris Kennaway (Jul 06)
- More Detailed Info on the BitchX Format Bugs RoboHak (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: More Detailed Info on the BitchX Format Bugs RoboHak (Jul 09)
- opieftpd setproctitle() patches Kris Kennaway (Jul 10)
- Remote DoS Attack in WircSrv Irc Server v5.07s Vulnerability Ussr Labs (Jul 10)
- Security Update: Denial of Service against irc-BX Technical Support (Jul 07)
- Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies Lincoln Yeoh (Jul 08)
- Re: More Detailed Info on the BitchX Format Bugs Ryan Russell (Jul 07)
- Re: ftpd and setproctitle() D. J. Bernstein (Jul 07)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- Re: ftpd and setproctitle() Firstname Lastname (Jul 10)
- BitchX update Vincent Danen (Jul 07)
- Re: ftpd and setproctitle() Pavel Kankovsky (Jul 08)
- Re: ftpd and setproctitle() Bernd Luevelsmeyer (Jul 07)
- ANNOUNCE: PScan, a simple security scanner. Alan DeKok (Jul 07)
- <Possible follow-ups>
- Re: ftpd and setproctitle() Roger Espel Llima (Jul 07)
- Re: ftpd and setproctitle() Adam McKenna (Jul 07)
- Security Update: symlink attack on makewhatis script possible Technical Support (Jul 07)
- Re: ftpd and setproctitle() Nic Bellamy (Jul 07)