Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2002-2019 Tenable Network Security, Inc.POPRELAYD_AUTH.NASL
HistoryAug 14, 2002 - 12:00 a.m.

poprelayd & sendmail Arbitrary Mail Relay

2002-08-1400:00:00
This script is Copyright (C) 2002-2019 Tenable Network Security, Inc.
www.tenable.com
40
JSON

Nessus has detected that the remote SMTP server allows relaying for users which were identified by ‘POP before SMTP’. The access control mechanism is based on the POP server logs. However, it is possible to poison these logs, which means that any spammer could be using your mail server to send their emails to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted.

Note that for some SMTP servers, such as Postfix, this plugin will display a false positive.

#
# (C) Tenable Network Security, Inc.
#

# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
#      Erik Anderson <[email protected]>
#      Added BugtraqID and CVE
#
# References:
# Date:  Tue, 3 Jul 2001 19:05:10 +0200 (CEST)
# From: "Andrea Barisani" <[email protected]>
# To: [email protected]
# Subject: poprelayd and sendmail relay authentication problem (Cobalt Raq3)
#

include("compat.inc");

if (description)
{
 script_id(11080);
 script_version("1.29");
 script_cvs_date("Date: 2019/03/06 18:38:55");

 script_cve_id("CVE-2001-1075");
 script_bugtraq_id(2986);

 script_name(english:"poprelayd & sendmail Arbitrary Mail Relay");
 script_summary(english:"Checks if the remote mail server can be used as a spam relay.");

  script_set_attribute(attribute:"synopsis", value:
"An open SMTP relay may be running on the remote host.");
 script_set_attribute(attribute:"description", value:
"Nessus has detected that the remote SMTP server allows relaying for
users which were identified by 'POP before SMTP'. The access control
mechanism is based on the POP server logs. However, it is possible to
poison these logs, which means that any spammer could be using your
mail server to send their emails to the world, thus flooding your
network bandwidth and possibly getting your mail server blacklisted.

Note that for some SMTP servers, such as Postfix, this plugin will
display a false positive.");
 script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam");
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Jul/64");
 script_set_attribute(attribute:"solution", value:
"Disable poprelayd or upgrade it.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/07/03");
 script_set_attribute(attribute:"plugin_publication_date", value:"2002/08/14");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"SMTP problems");

 script_copyright(english:"This script is Copyright (C) 2002-2019 Tenable Network Security, Inc.");

 script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_relay.nasl", "smtp_settings.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/smtp", 25);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# can't perform this test on localhost
if(islocalhost())exit(0);

port = get_service(svc:"smtp", default:25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);

soc = open_sock_tcp(port);
if (!soc) exit(0);

data = smtp_recv_banner(socket:soc);
if(!data)exit(0);

domain = get_kb_item("Settings/third_party_domain");
if(!domain) domain = "nessus.org";

hel = string("HELO ", domain, "\r\n");
send(socket:soc, data:hel);
data = recv_line(socket:soc, length:1024);
mf1 = string("MAIL FROM: <test_1@", domain, ">\r\n");
send(socket:soc, data:mf1);
data = recv_line(socket:soc, length:1024);
rc1 = string("RCPT TO: <test_2@", domain, ">\r\n");
send(socket:soc, data: rc1);
data = recv_line(socket:soc, length:1024);
if ("Relaying denied. Please check your mail first." >< data) { suspicious=1;}
else if(ereg(pattern:"^250 .*", string:data))exit(0);

q = raw_string(0x22);	# Double quote
h = compat::this_host();
mf = string("mail from:", q, "POP login by user ", q, "admin", q,
	" at (", h, ") ", h, "@example.org\r\n");
send(socket: soc, data: mf);
data = recv_line(socket:soc, length:1024);
close(soc);
#
#sleep(10);
#
soc = open_sock_tcp(port);
if (!soc) exit(0);

data = smtp_recv_banner(socket:soc);
send(socket:soc, data:hel);
data = recv_line(socket:soc, length:1024);
send(socket:soc, data:mf1);
data = recv_line(socket:soc, length:1024);
send(socket:soc, data: rc1);
i = recv_line(socket:soc, length:4);
if (i == "250 ") security_warning(port);
close(soc);

Related

cve 1
openvas 1
cve
cve
CVE-2001-1075
2001-07-04 04:00:00
openvas
openvas
poprelayd & sendmail Authentication Problem
2005-11-03 00:00:00
JSON
Related for POPRELAYD_AUTH.NASL
cve1openvas1