Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NTmail exploit

From: John Stanners <john.stanners () GORDANO COM>
Date: Mon, 18 Sep 2000 18:34:15 +0100
I saw someone report an exploit for NTmail version 3 and just wanted to post
that it's possible to use this againt NTmail version 5e and 5g as well.

Basically the exploit is this, NTmail has a "local mail only" feature where
either the from or to address must be a locally hosted address. This feature
is totally broken in that if you use

mail from; <-note semi-colon instead of colon

NTmail will pass the mail with a non-local TO address and in doing so
totally hoses up the from address.

What this means is that every NTmail server on the net that is not limited
by an IP address range is a wide open relay.

Cure: Open the web configuration interface, go to "incoming" then to the
"redirect" tab and add a new rule. In the "mail clause" field type in
"from;*" without the quotes and then set it to either refuse or redirect the
mail as you like.

I tried to post this to the NTmail support list but it is a moderated list
and Gordano refuses to allow the message to pass in order to warn all NTmail
admins. So I'm posting this to the security lists in order to get
notification of the exploit and at least one possible fix out to as many
people as possible. I'm still talking to Gordano but at this time it doesn't
look like they are going to fix this.

Geo.


I would just like to point out that Geo is running NTMail in a non standard
configuration, he has specifically set it up so that all that is required
to allow relay through his server is that either one of the MAIL or RCPT
clauses is local and as he was passing in a local address (no domain part)
the mail was allowed to relay.

By default, NTMail comes with relay disabled, only those users from within
a defined Local IP range are allowed to relay external mail through the
server.

To cater for those users that are outside of this Local IP range NTMail
also supports Authenticated SMTP and POP-before-SMTP.

Yours
John Stanners

-----------------------------------------------------------------
Gordano Ltd                               Tel UK: +44 1275 340151
PO Box 79, Clevedon, UK, BS21 7EF         Fax UK: +44 1275 340056
All quotes valid for 28 days.            Tel USA: +1 900 226 4632
URL:  http://www.ntmail.co.uk          EMail: support () gordano com
-----------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: