Sambar sendmail false positives

From: Thomas Reinke (reinke@e-softinc.com)
Date: Fri Jan 04 2002 - 11:23:13 PST

  • Next message: Thomas Reinke: "Sambar sendmail false positives"

    The Sambar sendmail script has a false positive "elimination" line
    that checks for SSL enabled servers talking non-SSL.
    
    Unfortunately, the false positive elimination doesn't work. The line:
    
      if("You're speaking plain HTTP to an SSL-enabled server port" <>
    buf)exit(0);
    
    has a number of problems:
    
     -  The <> should be ><
     -  The text should all be in lower case, since the script changes
        the buf to lower case.
     -  The buf never contains this text, because recv_line() was used
    instead
        of recv().
    
    A modified version of sambar_sendmail.nasl is attached that fixes these
    problems, and has been tested and no longer generates these false
    positives.
    
    Thomas
    
    #
    # Copyright 2000 by Hendrik Scholz <hendrikat_private>
    #
    
    if(description)
    {
     script_id(10415);
     
     name["english"] = "Sambar sendmail /session/sendmail";
     script_name(english:name["english"]);
     
     desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
    You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
    Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
    
    See http://www.toppoint.de/~hscholz/sambar for more information.
    
    Solution : Try to disable this module. There might be a patch in the future. 
    
    Risk factor : High";
    
    
     script_description(english:desc["english"]);
     
     summary["english"] = "Sambar /session/sendmail mailer installed ?";
     
     script_summary(english:summary["english"]);
     
     script_category(ACT_ATTACK);
     
     
     script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
    
     family["english"] = "CGI abuses";
     family["francais"] = "Abus de CGI";
     script_family(english:family["english"], francais:family["francais"]);
    
     script_dependencie("find_service.nes");
     script_require_ports("Services/www", 80);
     exit(0);
    }
    
    #
    # The script code starts here
    
    port = get_kb_item("Services/www");
    if(!port)port = 443;
    if(get_port_state(port))
    {
     data = http_get(item:"/session/sendmail", port:port);
     soc = open_sock_tcp(port);
     if(soc)
     {
      send(socket:soc, data:data);
      buf = recv(socket:soc, length:4096);
      close(soc);
      buf = tolower(buf);
      if(" 400 invalid header received " >< buf)exit(0);
      if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
      if(" 400 " >< buf)security_warning(port);
     }
    }
    



    This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 11:21:01 PST