RE: Cisco PIX Firewall MailGuard Vulnerability

From: Jerome Tytgat (j.tytgat@energis.fr)
Date: 09/25/01

Previous message: Fabio Pietrosanti (naif): "Cisco PIX Firewall MailGuard Vulnerability"
In reply to: Fabio Pietrosanti (naif): "Cisco PIX Firewall MailGuard Vulnerability"
Next in thread: Fabio Pietrosanti (naif): "Re: Cisco PIX Firewall MailGuard Vulnerability"
Reply: Fabio Pietrosanti (naif): "Re: Cisco PIX Firewall MailGuard Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Jerome Tytgat <j.tytgat@energis.fr>
To: <vuln-dev@securityfocus.com>
Subject: RE: Cisco PIX Firewall MailGuard Vulnerability
Date: Tue, 25 Sep 2001 14:42:01 +0200
Message-ID: <NEBBJOKLKIIEHOEIPMLKOEFOFEAA.j.tytgat@energis.fr>

rather outdated... 10-5-2000...

All recents - "less than one year" - binary
are ok (>4.4.7, 5.1.4, 5.2.3, 5.3.1, 6.0.1).

in fact the order of commands was not checked
(you could send a DATA before a RCPT TO).

And after sending a DATA command, command was not
checked anymore.

Simply send a DATA just after a HELO is refused by
the mail server with a 500 error but the pix saws
the DATA command and is not checking anymore commands.

So the mailserver was vulnerable against attack if it has
bug (such as overflow).

The SMTP fixup is here to prevent use of some functions
like EXPN, VRFY.

_______________________________________________________________
ENERGIS
Jerome Tytgat
Network and Security Administrator
mailto:j.tytgat@energis.fr http://www.energis.fr
tel : (33) 03 88 78 77 77 2, rue paul Rohmer
fax : (33) 03 88 78 80 00 F-67087 Strasbourg Cedex 2
_______________________________________________________________

> -----Message d'origine-----
> De : Fabio Pietrosanti (naif) [mailto:naif@sikurezza.org]
> Envoye : mardi 25 septembre 2001 12:06
> A : vuln-dev@securityfocus.com
> Objet : Cisco PIX Firewall MailGuard Vulnerability
>
>
> Hi,
>
> i have received the advisory from cisco about the vulnerability
> in the subject
> described here:
> http://www.cisco.com/warp/public/707/PIXfirewallSMTPfilter-pub.shtml
>
> I discovered the old mailguard vulnerability, and i would like to know if
> someone could explain in details about this new kind of attack
> against SMTP
> filter .
>
> Regards
>
> --
>
> Fabio Pietrosanti ( naif )
> E-mail: naif@sikurezza.org - naif@blackhats.it
> PGP Key (DSS) http://naif.itapac.net/naif.asc
> --
> Free advertising: www.openbsd.org Multiplatform Ultra-secure OS
> Free Flame: IPFilter sucks !
>

Previous message: Fabio Pietrosanti (naif): "Cisco PIX Firewall MailGuard Vulnerability"
In reply to: Fabio Pietrosanti (naif): "Cisco PIX Firewall MailGuard Vulnerability"
Next in thread: Fabio Pietrosanti (naif): "Re: Cisco PIX Firewall MailGuard Vulnerability"
Reply: Fabio Pietrosanti (naif): "Re: Cisco PIX Firewall MailGuard Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Cisco PIX Firewall MailGuard Vulnerability
... Cisco PIX Firewall MailGuard Vulnerability ... > And after sending a DATA command, ...
(Vuln-Dev)
Cisco PIX Firewall MailGuard Vulnerability
... Cisco PIX Firewall MailGuard Vulnerability ... i have received the advisory from cisco about the vulnerability in the subject ... Free advertising: www.openbsd.org Multiplatform Ultra-secure OS ...
(Vuln-Dev)