File: smtp_bypass_cisco.nasl

package info (click to toggle)
nessus-plugins 1.0.10-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,924 kB
  • ctags: 408
  • sloc: sh: 7,838; ansic: 3,415; makefile: 233
file content (97 lines) | stat: -rw-r--r-- 2,684 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
# See the Nessus Scripts License for details
#

if(description)
{
 script_id(10520);
 name["english"] = "PIX's smtp content filtering";
 name["francais"] = "filtre de contenu smtp PIX";
 script_name(english:name["english"],
 	     francais:name["francais"]);
 
 desc["english"] = "
The remote SMTP server seems to be
protected by a content filtering firewall
probably Cisco's PIX.

However, a cracker may bypass this content filtering
by issuing a DATA command before a MAIL command,
that allow him to directly communicate with the real SMTP daemon.

Solution : http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
Risk factor : Medium";

 desc["francais"] = "
Le serveur SMTP distant semble protg par un firewall  filtre
de contenu, sans doute PIX de Cisco.

Un pirate peut outrepasser ce module de filtre en envoyant une
commande DATA avant une commande MAIL, ce qui lui permet
de dialoguer directement avec le serveur SMTP protg.

Solution : http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
Facteur de risque : Moyen";




 script_description(english:desc["english"],
 	 	    francais:desc["francais"]);
		    
 
 summary["english"] = "attempts to communicate directly with the remote SMTP server";
 summary["francais"] = "tente de communiquer directement avec le serveur SMTP
 distant.";
 script_summary(english:summary["english"],
 		 francais:summary["francais"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2000 Renaud Deraison",
 		  francais:"Ce script est Copyright (C) 2000 Renaud Deraison");
 
 family["english"] = "Firewalls";
 family["francais"] = "Firewalls";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes", "sendmail_expn.nasl");
 script_exclude_keys("Sendmail/fake");
 script_require_ports("Services/smtp", 25);
 exit(0);
}

#
# The script code starts here
#

fake = get_kb_item("Sendmail/fake");
if(fake)exit(0);

port = get_kb_item("Services/smtp");
if(!port)port = 25;
if(get_port_state(port))
{
 soc = open_sock_tcp(port);
 if(soc)
 {
 data = recv(socket:soc, length:1024);
 if(ereg(string:data, pattern:"^220.*"))
 {
   cmd = string("HELP\r\n");
   send(socket:soc, data:cmd);
   r = recv(socket:soc, length:1024);
   if(ereg(string:r, pattern:"^500.*"))
   {
     cmd = string("DATA\r\n");
     send(socket:soc, data:cmd);
     r = recv(socket:soc, length:1024);
     cmd = string("HELP\r\n");
     r = recv_line(socket:soc, length:1024);
     if(ereg(string:r, pattern:"^214.*"))security_hole(port);
   }	
 }
 close(soc);
 } 
}