File: smtp_program.nasl

package info (click to toggle)
nessus-plugins 1.0.10-2
  • links: PTS
  • area: main
  • in suites: woody
  • size: 4,924 kB
  • ctags: 408
  • sloc: sh: 7,838; ansic: 3,415; makefile: 233
file content (110 lines) | stat: -rw-r--r-- 3,128 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
 
#
# This script was written by Renaud Deraison <deraison@cvs.nessus.org>
#
# See the Nessus Scripts License for details
#

if(description)
{
 script_id(10261);
 script_cve_id("CAN-1999-0163");
 name["english"] = "Sendmail mailing to programs";
 name["francais"] = "Sendmail envoye des mails aux programmes";
 script_name(english:name["english"],
 	     francais:name["francais"]);
 
 desc["english"] = "

The remote SMTP server did not complain when issued the
command :
	MAIL FROM: root@this_host
	RCPT TO: |testing
	
This probably means that it is possible to send mail directly
to programs, which is a serious threat, since this allows
anyone to execute arbitrary command on this host.

NOTE : ** This security hole might be a false positive, since
   some MTAs will not complain to this test, and instead will
   just drop the message silently **
   
Solution : upgrade your MTA or change it.

Risk factor : High";


 desc["francais"] = "

Le serveur SMTP distant n'a pas refus la
suite de commandes suivante :
	MAIL FROM: root@this_host
	RCPT TO: |testing
	
Cela signifie probablement qu'il est possible
d'envoyer du courrier directement aux programmes,
ce qui est un problme de scurit puisque
cela permet  n'importe qui d'executer des
commandes arbitraires sur cette machine.


NOTE : ** Ce problme de scurit peut etre
une fausse alerte, puisque certains MTA 
ne refusent pas ces commandes mais ignorent
le message envoy **

Solution : mettez  jour votre MTA ou changez-le/

Facteur de risque : Elev";

 script_description(english:desc["english"],
 	 	    francais:desc["francais"]);
		    
 
 summary["english"] = "Checks if the remote mail server can be used to gain a shell"; 
 summary["francais"] = "Vrifie si le serveur de mail distant peut etre utilis obtenir un shell";
 script_summary(english:summary["english"],
 		 francais:summary["francais"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
 		  francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
 
 family["english"] = "SMTP problems";
 family["francais"] = "Problmes SMTP";
 script_family(english:family["english"], francais:family["francais"]);
 script_dependencie("find_service.nes", "sendmail_expn.nasl", "smtpserver_detect.nasl");
 script_exclude_keys("Sendmail/fake", "Sendmail/microsoft_esmtp_5",  "Sendmail/qmail", "Sendmail/postfix");
 script_require_ports("Services/smtp", 25);
 exit(0);
}

#
# The script code starts here
#

fake = get_kb_item("Sendmail/fake");
if(fake)exit(0);

port = get_kb_item("Services/smtp");
if(!port)port = 25;
if(get_port_state(port))
{
 soc = open_sock_tcp(port);
 if(soc)
 {
 data = recv(socket:soc, length:1024);
 crp = string("HELO nessus.org\r\n");
 send(socket:soc, data:crp);
 data = recv_line(socket:soc, length:1024);
 crp = string("MAIL FROM: root@", get_host_name(), "\r\n");
 send(socket:soc, data:crp);
 data = recv_line(socket:soc, length:1024);
 crp = string("RCPT TO: |testing\r\n");
 send(socket:soc, data:crp);
 
 data = recv(socket:soc, length:4);
 if(data == "250 ")security_hole(port);
 close(soc);
 }
}