Lucene search
Copyright (C) 2004 Michel ArboiOPENVAS:136141256231016024HistoryNov 03, 2005 - 12:00 a.m.
Sendmail WIZ Command Enabled
2005-11-0300:00:00
Copyright (C) 2004 Michel Arboi
plugins.openvas.org
27
9.6 High
AI Score
Confidence
High
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
32.0%
The remote Sendmail service accepts the WIZ command.
# SPDX-FileCopyrightText: 2004 Michel Arboi
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:sendmail:sendmail";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.16024");
script_version("2024-01-10T05:05:17+0000");
script_tag(name:"last_modification", value:"2024-01-10 05:05:17 +0000 (Wed, 10 Jan 2024)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/2897");
script_cve_id("CVE-1999-0145");
script_xref(name:"OSVDB", value:"1877");
script_tag(name:"cvss_base", value:"7.2");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_name("Sendmail WIZ Command Enabled");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2004 Michel Arboi");
script_family("SMTP problems");
script_dependencies("gb_sendmail_smtp_detect.nasl");
script_mandatory_keys("sendmail/smtp/detected");
script_require_ports("Services/smtp", 25, 465, 587);
script_tag(name:"summary", value:"The remote Sendmail service accepts the WIZ command.");
script_tag(name:"vuldetect", value:"Sends a crafted SMTP request and checks the response.");
script_tag(name:"insight", value:"WIZ allows remote users to execute arbitrary commands as root
without the need to log in.");
script_tag(name:"solution", value:"Reconfigure or upgrade your MTA.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"remote_vul");
exit(0);
}
include("smtp_func.inc");
include("host_details.inc");
if(!port = get_app_port(cpe:CPE, service:"smtp"))
exit(0);
if(!get_app_location(cpe:CPE, port:port, nofork:TRUE))
exit(0);
soc = open_sock_tcp(port);
if(!soc)
exit(0);
res = smtp_recv_banner(socket:soc);
if(!res || "endmail" >!< res) {
smtp_close(socket:soc, check_data:res);
exit(0);
}
# nb: We could also test the "KILL" function, which is related to WIZ if I understood correctly
req = string("WIZ\r\n");
send(socket:soc, data:req);
res = smtp_recv_line(socket:soc, code:"2[0-9]{2}");
smtp_close(socket:soc, check_data:res);
if(ereg(string:res, pattern:"^2[0-9]{2}[- ].+")) {
report = 'The remote SMTP service accepts the WIZ command. Answer:\n\n' + res;
security_message(port:port, data:report);
exit(0);
}
exit(99);
References
Related
cve
cve
CVE-1999-0145
1993-09-30 04:00:00
cbl_mariner
cbl_mariner
CVE-1999-0145 affecting package sendmail 8.15.2-46
2024-04-28 09:06:19
nessus
nessus
Sendmail DEBUG/WIZ Remote Command Execution
1999-08-22 00:00:00
exploitpack
exploitpack
Exim 4.87 4.91 - (Local Remote) Command Execution
2019-06-05 00:00:00
zdt
zdt
Exim 4.87 < 4.91 - (Local / Remote) Command Execution Exploit
2019-06-07 00:00:00
exploitdb
exploitdb
Exim 4.87 < 4.91 - (Local / Remote) Command Execution
2019-06-05 00:00:00
9.6 High
AI Score
Confidence
High
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
32.0%
Related for OPENVAS:136141256231016024