RE: Cisco PIX Firewall MailGuard Vulnerability

[Jerome Tytgat <j.tytgat () energis fr>]

rather outdated... 10-5-2000...

All recents - "less than one year" - binary
are ok (>4.4.7, 5.1.4, 5.2.3, 5.3.1, 6.0.1).

in fact the order of commands was not checked
(you could send a DATA before a RCPT TO).

And after sending a DATA command, command was not
checked anymore.

Simply send a DATA just after a HELO is refused by
the mail server with a 500 error but the pix saws 
the DATA command and is not checking anymore commands.

So the mailserver was vulnerable against attack if it has
bug (such as overflow).

The SMTP fixup is here to prevent use of some functions
like EXPN, VRFY.

_______________________________________________________________
ENERGIS
Jerome Tytgat
Network and Security Administrator
mailto:j.tytgat () energis fr        http://www.energis.fr
tel : (33) 03 88 78 77 77       2, rue paul Rohmer
fax : (33) 03 88 78 80 00       F-67087 Strasbourg Cedex 2
_______________________________________________________________

 






> -----Message d'origine-----
> De : Fabio Pietrosanti (naif) [mailto:naif () sikurezza org]
> Envoye : mardi 25 septembre 2001 12:06
> A : vuln-dev () securityfocus com
> Objet : Cisco PIX Firewall MailGuard Vulnerability
>
>
> Hi,
>
> i have received the advisory from cisco about the vulnerability 
> in the subject
> described here:
> http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
>
> I discovered the old mailguard vulnerability, and i would like to know if
> someone could explain in details about this new kind of attack 
> against SMTP
> filter .
>
> Regards
>
> -- 
>
> Fabio Pietrosanti ( naif )
> E-mail: naif () sikurezza org - naif () blackhats it
> PGP Key (DSS) http://naif.itapac.net/naif.asc
> --
> Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
> Free Flame: IPFilter sucks !