Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Out of order SMTP DATA commands incorrectly allow pass-through mode in some firewall smtp filters/proxies

From: lyeoh () POP JARING MY (Lincoln Yeoh)
Date: Sun, 9 Jul 2000 05:17:19 +0800

Hi people,

Issue: Out of order SMTP DATA commands incorrectly allow pass-through mode
in some firewall smtp filters/proxies.

I first found this sometime in 1996 (can't remember exact date- long time
ago:) ), and notified the relevant firewall vendor. After about 4
generations it's still not fixed in some versions even today, they did try
to patch it a few times but were unsuccessful. I do not have access to the
latest versions to check. I recently noticed that another screen/firewall
seems to have a similar problem - was trying to confirm an email address.
Not sure if other firewalls are vulnerable.

Basically if you wish to send arbitrary stuff to a mailserver protected by
a vulnerable firewall's smtp proxy, what you do is send a DATA command
followed by the stuff you want to send, all in the same tcp/ip packet,
immediately on connection (before you even get the 220 response).
e.g.
<begin packet>
DATA
VERB
EXPN postmaster
.
<end packet>

You may have to send consecutive DATA commands to get it to work
e.g
<begin packet>
DATA
DATA
VERB
EXPN postmaster
.
<end packet>

Note: In some versions you require the end . to receive the response.

In a recent case I found, you're not required to put stuff all in the same
packet. All you need to do is issue a DATA command. There appears to be a
timeout but just reissue the DATA again and you're back to pass-through mode.

Workaround: Make sure you are running a secure and reliable mail server, or
use a better smtp proxy.

Cheerio,

Link.
Previous By Date Next
Previous By Thread Next

Current thread: