Re: Sambar sendmail false positives

From: Thomas Reinke (reinke@e-softinc.com)
Date: Fri Jan 04 2002 - 11:26:14 PST

Next message: Thomas Reinke: "Re: Sambar sendmail false positives"

Previous message: Thomas Reinke: "Re: Sambar sendmail false positives"
In reply to: Thomas Reinke: "Sambar sendmail false positives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ack... the last script is incorrect: for testing had changed the port 
to be port 443.  The attached script is the correct one. 

Thomas

Thomas Reinke wrote:
> 
> The Sambar sendmail script has a false positive "elimination" line
> that checks for SSL enabled servers talking non-SSL.
> 
> Unfortunately, the false positive elimination doesn't work. The line:
> 
>   if("You're speaking plain HTTP to an SSL-enabled server port" <>
> buf)exit(0);
> 
> has a number of problems:
> 
>  -  The <> should be ><
>  -  The text should all be in lower case, since the script changes
>     the buf to lower case.
>  -  The buf never contains this text, because recv_line() was used
> instead
>     of recv().
> 
> A modified version of sambar_sendmail.nasl is attached that fixes these
> problems, and has been tested and no longer generates these false
> positives.
> 
> Thomas
> 
>   ------------------------------------------------------------------------
> #
> # Copyright 2000 by Hendrik Scholz <hendrikat_private>
> #
> 
> if(description)
> {
>  script_id(10415);
> 
>  name["english"] = "Sambar sendmail /session/sendmail";
>  script_name(english:name["english"]);
> 
>  desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
> 
> See http://www.toppoint.de/~hscholz/sambar for more information.
> 
> Solution : Try to disable this module. There might be a patch in the future.
> 
> Risk factor : High";
> 
>  script_description(english:desc["english"]);
> 
>  summary["english"] = "Sambar /session/sendmail mailer installed ?";
> 
>  script_summary(english:summary["english"]);
> 
>  script_category(ACT_ATTACK);
> 
> 
>  script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
> 
>  family["english"] = "CGI abuses";
>  family["francais"] = "Abus de CGI";
>  script_family(english:family["english"], francais:family["francais"]);
> 
>  script_dependencie("find_service.nes");
>  script_require_ports("Services/www", 80);
>  exit(0);
> }
> 
> #
> # The script code starts here
> 
> port = get_kb_item("Services/www");
> if(!port)port = 443;
> if(get_port_state(port))
> {
>  data = http_get(item:"/session/sendmail", port:port);
>  soc = open_sock_tcp(port);
>  if(soc)
>  {
>   send(socket:soc, data:data);
>   buf = recv(socket:soc, length:4096);
>   close(soc);
>   buf = tolower(buf);
>   if(" 400 invalid header received " >< buf)exit(0);
>   if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
>   if(" 400 " >< buf)security_warning(port);
>  }
> }

-- 
------------------------------------------------------------
E-Soft Inc.                         http://www.e-softinc.com
Publishers of SecuritySpace     http://www.securityspace.com
Tel: 1-905-331-2260                      Fax: 1-905-331-2504   
Tollfree in North America: 1-800-799-4831

#
# Copyright 2000 by Hendrik Scholz <hendrikat_private>
#

if(description)
{
 script_id(10415);
 
 name["english"] = "Sambar sendmail /session/sendmail";
 script_name(english:name["english"]);
 
 desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!

See http://www.toppoint.de/~hscholz/sambar for more information.

Solution : Try to disable this module. There might be a patch in the future. 

Risk factor : High";


 script_description(english:desc["english"]);
 
 summary["english"] = "Sambar /session/sendmail mailer installed ?";
 
 script_summary(english:summary["english"]);
 
 script_category(ACT_ATTACK);
 
 
 script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");

 family["english"] = "CGI abuses";
 family["francais"] = "Abus de CGI";
 script_family(english:family["english"], francais:family["francais"]);

 script_dependencie("find_service.nes");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here

port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
 data = http_get(item:"/session/sendmail", port:port);
 soc = open_sock_tcp(port);
 if(soc)
 {
  send(socket:soc, data:data);
  buf = recv(socket:soc, length:4096);
  close(soc);
  buf = tolower(buf);
  if(" 400 invalid header received " >< buf)exit(0);
  if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
  if(" 400 " >< buf)security_warning(port);
 }
}

Next message: Thomas Reinke: "Re: Sambar sendmail false positives"
Previous message: Thomas Reinke: "Re: Sambar sendmail false positives"
In reply to: Thomas Reinke: "Sambar sendmail false positives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 11:25:43 PST