Re: Anyone recognises this ?

From: H D Moore (sflistat_private)
Date: Wed Jul 03 2002 - 14:56:57 PDT

Next message: Marco van Berkum: "Re: Anyone recognises this ?"

Previous message: Rainer Duffner: "Remotely hacking Novell ?"
In reply to: Marco van Berkum: "Anyone recognises this ?"
Next in thread: Marco van Berkum: "Re: Anyone recognises this ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The banner you see is actually a PIX firewall wrapping the SMTP connection. 
The goal is to enable only a specific set of commands, thereby protecting the 
SMTP daemon from any information gathering attacks. There is a bug in some 
releases which dont accurately maintain the "state" of the SMTP connection 
and allow for arbitrary commands to be sent to the backend server. You do 
this by specifying a DATA command before the RCPT TO, followed immediately by 
the command you want to send. So to fingerprint the backend service, you 
would send something like this:

telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220*********************************************0************200**************
HELO
250 somehost Ok
MAIL FROM: userat_private
250 Ok
DATA
503 No recipients: need RCPT
HELP
214-Commands:
214-     HELO     MAIL     RCPT     DATA     RSET
214-     NOOP     QUIT     HELP     VRFY     ETRN
214-     XEXCH50  STARTTLS AUTH
214 End of HELP info
354 Enter mail, end with "." on a line by itself

Without that initial "DATA", the HELP command would return an "invalid 
command" or similar response... The HELP output above would identify this as 
an Exchange 5.x Internet Mail Service. More information about this bug in 
particular can be found here:

http://online.securityfocus.com/bid/3365

-HD

On Wednesday 03 July 2002 12:27, Marco van Berkum wrote:
> Can anyone tell me what mailserver this is ?
> It's running on a Novell machine (hostname has been changed)
>
> ws# telnet xxx.xxx.xxx.xxx 25
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xxx.xxx.
> Escape character is '^]'.
> 220
> *********************************************0************200**************
>******* helo
> 250 somehost Ok
> mail from: marcoat_private
> 250 Ok
> rcpt to: user@somehost
> 250 Ok
> data
> 354 Enter mail, end with "." on a line by itself
> test
> .
> 250 Ok
> quit
> 221 somehost Closing transmission channel
> Connection closed by foreign host.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Marco van Berkum: "Re: Anyone recognises this ?"
Previous message: Rainer Duffner: "Remotely hacking Novell ?"
In reply to: Marco van Berkum: "Anyone recognises this ?"
Next in thread: Marco van Berkum: "Re: Anyone recognises this ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 03 2002 - 20:00:06 PDT