Vulners
Lucene search
Sendmail MAIL FROM Command Arbitrary Remote Command Execution
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | CVE-1999-0203 | 25 Apr 200004:00 | – | cve |
 | CVE-1999-0203 | 25 Apr 200004:00 | – | cvelist |
 | EUVD-1999-0203 | 7 Oct 202500:30 | – | euvd |
 | CVE-1999-0203 | 17 Aug 199504:00 | – | nvd |
 | PT-1995-1011 · Sendmail · Sendmail | 17 Aug 199500:00 | – | ptsecurity |
 | CVE-1999-0203 | 7 Jan 202609:41 | – | redhatcve |
| Source | Link |
|---|---|
| securitydigest | www.securitydigest.org/phage/archive/324 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#
# (C) Tenable Network Security, Inc.
#
include( 'compat.inc' );
if(description)
{
script_id(10258);
script_version ("1.38");
script_cve_id("CVE-1999-0203");
script_bugtraq_id(2308);
script_name(english:"Sendmail MAIL FROM Command Arbitrary Remote Command Execution");
script_summary(english:"Checks if the remote mail server can be used to gain a shell");
script_set_attribute(
attribute:'synopsis',
value:'The remote SMTP server is vulnerable to authentication bypass.'
);
script_set_attribute(
attribute:'description',
value:'The remote SMTP server did not complain when issued the
command :
MAIL FROM: |testing
This probably means that it is possible to send mail
that will be bounced to a program, which is
a serious threat, since this allows anyone to execute
arbitrary commands on this host.
*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently'
);
script_set_attribute(
attribute:'solution',
value:'Upgrade your MTA or change it.'
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(
attribute:'see_also',
value:'http://securitydigest.org/phage/archive/324'
);
script_set_attribute(attribute:"plugin_publication_date", value: "1999/08/22");
script_set_attribute(attribute:"vuln_publication_date", value: "1988/12/04");
script_cvs_date("Date: 2018/08/03 11:35:08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
script_family(english:"SMTP problems");
script_dependencie("find_service1.nasl", "sendmail_expn.nasl", "smtpserver_detect.nasl");
script_require_keys("SMTP/sendmail");
script_require_ports("Services/smtp", 25);
exit(0);
}
#
# The script code starts here
#
include("smtp_func.inc");
port = get_kb_item("Services/smtp");
if(!port)port = 25;
if(get_port_state(port))
{
soc = open_sock_tcp(port);
if(soc)
{
data = smtp_recv_banner(socket:soc);
if(!data)exit(0);
if("Sendmail" >!< data)exit(0);
crp = string("HELO example.com\r\n");
send(socket:soc, data:crp);
data = recv_line(socket:soc, length:1024);
crp = string("MAIL FROM: |testing\r\n");
send(socket:soc, data:crp);
data = recv_line(socket:soc, length:4);
if(data=="250 ")security_hole(port);
close(soc);
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Aug 2018 11:35Current
5.6Medium risk
Vulners AI Score5.6
CVSS 210
EPSS0.00483