Full Disclosure mailing list archives
Gordano Mail Server exploit (NTmail)
From: "Geoincidents" <geoincidents () getinfo org>
Date: Sun, 1 Dec 2002 11:12:12 -0500
There is an exploit for NTmail also known as GMS where it is possible to pass a mail containing content that you have chosen to block to the users on the system. From my testing it appears to affect versions 5, 6, and 7 of NTmail and GMS version 8 both with and without the recent base64 patch. (a patch that was released only after that other exploit was made public on the security lists) Example: You have setup an rwords filter to block webbugs, I'll assume you know what webbug code looks like, and when an email is set to a GMS server with this code in it the email is accepted, then scanned, then bounced back to the sender with a bounced message. By making both the TO and FROM address the address of your target you can bypass these filters and the restricted content will be delivered as a bounced email to the target address and appear to be an email the target sent out so users are likely to open it to see which of their emails bounced. Upon opening it the webbug will expose them. Spammers also can use this technique to deliver their spams, making the filters on GMS useless for blocking spams. In my opinion, if the mail triggers the filters it should never, under any circumstances, be delivered to the users of the system. To date, Gordano has refused to even acknowledge that this is a problem. I am hoping that posting this issue to the security lists will at least alert admins of GMS and NTmail to the problem. Geo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Gordano Mail Server exploit (NTmail) Geoincidents (Dec 01)