Re: Cisco PIX Firewall MailGuard Vulnerability

["Fabio Pietrosanti (naif)" <naif () inet it>]

Hi Jerome,

this vulnerability was posted on bugtraq several month by me, and i worked
with cisco trying their fixed version and they released the new release of pix .

Now Cisco talk about another way to bypass SMTP content filtering, that's not
the way i disocovered many month ago, i suppose.

The new advisory it's dated 2001 September 26, look @ Bugtraq the official
e-mail from cisco, because on the website this is not updated .

Regards

On Tue, Sep 25, 2001 at 02:42:01PM +0200, Jerome Tytgat wrote:
> rather outdated... 10-5-2000...
>
> All recents - "less than one year" - binary
> are ok (>4.4.7, 5.1.4, 5.2.3, 5.3.1, 6.0.1).
>
> in fact the order of commands was not checked
> (you could send a DATA before a RCPT TO).
>
> And after sending a DATA command, command was not
> checked anymore.
>
> Simply send a DATA just after a HELO is refused by
> the mail server with a 500 error but the pix saws 
> the DATA command and is not checking anymore commands.
>
> So the mailserver was vulnerable against attack if it has
> bug (such as overflow).
>
> The SMTP fixup is here to prevent use of some functions
> like EXPN, VRFY.
>
> _______________________________________________________________
> ENERGIS
> Jerome Tytgat
> Network and Security Administrator
> mailto:j.tytgat () energis fr        http://www.energis.fr
> tel : (33) 03 88 78 77 77       2, rue paul Rohmer
> fax : (33) 03 88 78 80 00       F-67087 Strasbourg Cedex 2
> _______________________________________________________________
>
>  
>
>
>
>
>
>
> > -----Message d'origine-----
> > De : Fabio Pietrosanti (naif) [mailto:naif () sikurezza org]
> > Envoye : mardi 25 septembre 2001 12:06
> > A : vuln-dev () securityfocus com
> > Objet : Cisco PIX Firewall MailGuard Vulnerability
> >
> >
> > Hi,
> >
> > i have received the advisory from cisco about the vulnerability 
> > in the subject
> > described here:
> > http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
> >
> > I discovered the old mailguard vulnerability, and i would like to know if
> > someone could explain in details about this new kind of attack 
> > against SMTP
> > filter .
> >
> > Regards
> >
> > -- 
> >
> > Fabio Pietrosanti ( naif )
> > E-mail: naif () sikurezza org - naif () blackhats it
> > PGP Key (DSS) http://naif.itapac.net/naif.asc
> > --
> > Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
> > Free Flame: IPFilter sucks ! 

-- 

Fabio Pietrosanti ( naif )
E-mail: naif () sikurezza org - naif () blackhats it
PGP Key (DSS) http://naif.itapac.net/naif.asc
--
Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
Free Flame: IPFilter sucks !