Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE] Check for CVE-2011-1720 - Postfix SMTP Cyrus SASL memory corruption
From: Djalal Harouni <tixxdz () opendz org>
Date: Thu, 12 May 2011 18:26:01 +0100

Hi list,

Please find attached a script (smtp-check-vulns.nse) which currently
only checks for the Postfix SMTP Cyrus SASL authentication memory
corruption CV-2011-1720 [1]

The LOGIN mechanism seems also vulnerable, but as noted in the
Postfix advisory [1], sending "AUTH PLAIN" after aborting the
"AUTH LOGIN" request does not result in a memory corruption.

I've only tested the CRAM-MD5 and NTLM mechanisms. The NTLM data
structure will be corrupted and the Postfix smtpd will segfault after
two tests using the DIGEST-MD5 mechanism. The checks for the other
mechanisms are disabled, I don't have a config to test them.

The script will segfault the smtpd child which runs with the 'postfix'
user privileges. The script supports the submission protocol.

You can add other checks, just put them in the 'AUTH_VULN' table. If
I've enough time I'll try to check the sources and complete this table.


[1] http://www.postfix.org/CVE-2011-1720.html

-- 
tixxdz
http://opendz.org

Attachment: smtp-check-vulns.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]