[mdk-re] Nessus results

[mdk-re] Nessus results

[Artem Pastuchov]

Добрый день

Я тут прошелся сабжем по свежепоставленному спрингу ,
и ему очень не понравился postfix :

Vulnerability found on port smtp (25/tcp)



The remote SMTP server did not complain when issued the
command :
 MAIL FROM: root@this_host
 RCPT TO: |testing

This probably means that it is possible to send mail directly
to programs, which is a serious threat, since this allows
anyone to execute arbitrary command on this host.

NOTE : ** This security hole might be a false positive, since
 some MTAs will not complain to this test, and instead will
 just drop the message silently **

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CAN-1999-0163


[ back to the list of ports ]

Vulnerability found on port smtp (25/tcp)



The remote SMTP server did not complain when issued the
command :
 MAIL FROM: |testing

This probably means that it is possible to send mail 
that will be bounced to a program, which is 
a serious threat, since this allows anyone to execute 
arbitrary command on this host.

NOTE : ** This security hole might be a false positive, since
 some MTAs will not complain to this test, but instead
 just drop the message silently **

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CAN-1999-0203


[ back to the list of ports ]

Vulnerability found on port smtp (25/tcp)



The remote SMTP server did not complain when issued the
command :
 MAIL FROM: root@this_host
 RCPT TO: /tmp/nessus_test

This probably means that it is possible to send mail directly
to files, which is a serious threat, since this allows
anyone to overwrite any file on the remote server.

NOTE : ** This security hole might be a false positive, since
 some MTAs will not complain to this test and will
 just drop the message silently. Check for the presence
 of file 'nessus_test' in /tmp ! **

Solution : upgrade your MTA or change it.

Risk factor : High
CVE : CVE-1999-0096


[ back to the list of ports ]

Warning found on port smtp (25/tcp)




The remote STMP server seems to allow remote users to
send mail anonymously by providing a too long argument
to the HELO command (more than 1024 chars).

This problem may allow bad guys to send hate
mail, or threatening mail using your server
and keep their anonymity.

Risk factor : Low.

Solution : If you are using sendmail, upgrade to
version 8.9.x. If you do not run sendmail, contact
your vendor.
CVE : CAN-1999-0098

Насколько это опасно ?


P.s.

В сегодняшнем bugtraq был найден баг 
fetchmail buffer owerflow

Re: [mdk-re] Nessus results

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 3216 bytes --]

Greetings!

On Fri, Jun 22, 2001 at 12:29:24PM +0400, Artem Pastuchov wrote:
> Я тут прошелся сабжем по свежепоставленному спрингу ,
> и ему очень не понравился postfix :

<skip>

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: root@this_host
>  RCPT TO: |testing
> 
> This probably means that it is possible to send mail directly
> to programs, which is a serious threat, since this allows
> anyone to execute arbitrary command on this host.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test, and instead will
>  just drop the message silently **

date server postfix/local[pid]: id: to=<|testing@server>, relay=local, delay=1, status=bounced (unknown user: "|testing")

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: |testing
> 
> This probably means that it is possible to send mail 
> that will be bounced to a program, which is 
> a serious threat, since this allows anyone to execute 
> arbitrary command on this host.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test, but instead
>  just drop the message silently **

см. предыдущий лог.

> The remote SMTP server did not complain when issued the
> command :
>  MAIL FROM: root@this_host
>  RCPT TO: /tmp/nessus_test
> 
> This probably means that it is possible to send mail directly
> to files, which is a serious threat, since this allows
> anyone to overwrite any file on the remote server.
> 
> NOTE : ** This security hole might be a false positive, since
>  some MTAs will not complain to this test and will
>  just drop the message silently. Check for the presence
>  of file 'nessus_test' in /tmp ! **

date server postfix/local[pid]: id: to=</tmp/nessus_test@server>, relay=local, delay=1, status=bounced (unknown user: "/tmp/nessus_test")

> The remote STMP server seems to allow remote users to
> send mail anonymously by providing a too long argument
> to the HELO command (more than 1024 chars).
> 
> This problem may allow bad guys to send hate
> mail, or threatening mail using your server
> and keep their anonymity.

> Насколько это опасно ?

Resume: Неумение пользоваться security scaner'aми.

Risk factor : High.

Solution : Учиться, учиться, учиться, ... :)

> P.s.
> 
> В сегодняшнем bugtraq был найден баг 
> fetchmail buffer owerflow

Последние сообщения в BUGTRAQ про fetchmail касались довольно старых
версий, более старых, чем та, которая вошла в Spring. Впрочем, за
последние 10 дней вышло уже 3 версии fetchmail, исправляющие разные
buffer overrun'ы. Боюсь, что на этом история не
закончилась. :(
Так что проявляйте осторожность в использовании fetchmail.
Никогда не запускайте его под рутом.
Как только ситуация устаканится, будет обновление в updates.


Regards,
	Dmitry

+-------------------------------------------------------------------------+
Dmitry V. Levin     mailto://ldv@alt-linux.org
ALT Linux Team      http://www.altlinux.ru/
Fandra Project      http://www.fandra.org/
+-------------------------------------------------------------------------+
UNIX is user friendly. It's just very selective about who its friends are.

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [mdk-re] Nessus results

[Artem K. Jouravsky]

Здравствуйте, "Dmitry V. Levin" <ldv@alt-linux.org>!
От Fri, 22 Jun 2001 13:31:46 +0400 вы писали на тему Re: [mdk-re] Nessus results:

<skipped>

DL> Последние сообщения в BUGTRAQ про fetchmail касались довольно старых
DL> версий, более старых, чем та, которая вошла в Spring. Впрочем, за
DL> последние 10 дней вышло уже 3 версии fetchmail, исправляющие разные
DL> buffer overrun'ы. Боюсь, что на этом история не
DL> закончилась. :(
DL> Так что проявляйте осторожность в использовании fetchmail.
DL> Никогда не запускайте его под рутом.
DL> Как только ситуация устаканится, будет обновление в updates.

А в списке секурити про это было или нет? Я понять не могу, то ли я 
так и не подписался на него то ли он просто молчаливый такой...

------
Best wishes,
+----------------------+--------------------------+
|  ."-.                |  Work: +7-(095)-229-4278 |
| /X  | _o.----.    _  |  ICQ:  103399444         |
|/\_  \/ /  __  \_// ) |  Artem K. Jouravsky      |
|\__)-/_/\_____)____/  |  http://www.ifirst.ru/   |
+----------------------+--------------------------+