Nmap Development mailing list archives
Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption
From: Martin Holst Swende <martin () swende se>
Date: Sat, 14 May 2011 08:48:48 +0200
Hi, Did a quick test against a server which appears not to be vulnerable. I have just one minor correction; in the usage-field, you have written " nmap --script smtp-check-vuln.nse [--script-args smtp.domain=<domain>] -pT:25,465,587 <host> " i.e. "smtp-check-vuln.nse" but the script name is "smtp-check-vulns.nse" (plural 's'). Very minor, but annoying when a user does copy-paste from the usage-field. So, either change the script name or the docs. Regards, Martin Holst Swende On 05/12/2011 07:33 PM, Djalal Harouni wrote:
On 2011-05-12 18:26:01 +0100, Djalal Harouni wrote:Hi list, Please find attached a script (smtp-check-vulns.nse) which currently only checks for the Postfix SMTP Cyrus SASL authentication memory corruption CV-2011-1720 [1] The LOGIN mechanism seems also vulnerable, but as noted in the Postfix advisory [1], sending "AUTH PLAIN" after aborting the "AUTH LOGIN" request does not result in a memory corruption. I've only tested the CRAM-MD5 and NTLM mechanisms. The NTLM data structure will be corrupted and the Postfix smtpd will segfault after two tests using the DIGEST-MD5 mechanism. The checks for the other mechanisms are disabled, I don't have a config to test them. The script will segfault the smtpd child which runs with the 'postfix' user privileges. The script supports the submission protocol. You can add other checks, just put them in the 'AUTH_VULN' table. If I've enough time I'll try to check the sources and complete this table.Attached is just another clean version, removed the use of the 'comm' library, and corrected the script argument in the NSEdoc usage, sorry. (not enough time) _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 12)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 12)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Martin Holst Swende (May 13)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Henri Doreau (May 15)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 15)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Martin Holst Swende (May 13)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Fyodor (May 16)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 17)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 19)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Ron (Jun 16)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Fyodor (Jun 19)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Ron (Jun 19)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Fyodor (Jun 22)
- Re: [NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption Djalal Harouni (May 12)