Vulnerabilities > CVE-2003-0285 - Unspecified vulnerability in IBM AIX
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN ibm
nessus
Summary
IBM AIX 5.2 and earlier distributes Sendmail with a configuration file (sendmail.cf) with the (1) promiscuous_relay, (2) accept_unresolvable_domains, and (3) accept_unqualified_senders features enabled, which allows Sendmail to be used as an open mail relay for sending spam e-mail.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | Ibm
| 33 |
Nessus
NASL family SMTP problems NASL id INTERNAL_SMTP_RELAY_DETECTION.NASL description Nessus has detected that this internal SMTP server allows mail relaying. last seen 2020-06-02 modified 2018-10-10 plugin id 118017 published 2018-10-10 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118017 title MTA Open Mail Relaying Allowed (internal) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(118017); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id( "CVE-1999-0512", "CVE-2002-1278", "CVE-2003-0285" ); script_bugtraq_id( 7580, 8196, 83209 ); script_name(english:"MTA Open Mail Relaying Allowed (internal)"); script_summary(english:"Checks if the internal mail server can be used to relay email."); script_set_attribute(attribute:"synopsis", value: "An open SMTP relay is running on the host."); script_set_attribute(attribute:"description", value: "Nessus has detected that this internal SMTP server allows mail relaying."); script_set_attribute(attribute:"solution", value:"Reconfigure your SMTP server so that it cannot be used as an indiscriminate SMTP relay. Make sure that the server uses appropriate access controls to limit the extent to which relaying is possible."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"manual"); script_set_attribute(attribute:"cvss_score_rationale", value:"score from a more in depth analysis done by Tenable"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Open_mail_relay"); script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_settings.nasl"); script_exclude_keys("SMTP/wrapped", "SMTP/qmail"); script_require_ports("Services/smtp", 25); script_require_keys("Settings/ParanoidReport"); exit(0); } include('global_settings.inc'); include('misc_func.inc'); include('network_func.inc'); include("smtp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); # check the network is private if (!is_private_addr()) { exit(0, "This check is only intended for internal SMTP open relays."); } # check port port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (get_kb_item('SMTP/'+port+'/broken')) { exit(0, "The SMTP server on port "+port+" is broken."); } # this value is set in scan/assessment/smtp third party domain domain = get_kb_item("Settings/third_party_domain"); if (!domain) { domain = 'example.edu'; } # perform the SMTP communication function smtp_test_relay(tryauth) { local_var crp, data, i, r, report, soc, trace; soc = open_sock_tcp(port); if (!soc) exit(1, "Can't open socket on port "+port+"."); data = smtp_recv_banner(socket:soc); if (!data) { close(soc); exit(1, "Failed to receive the banner from the SMTP server on port "+port+"."); } trace = 'S : ' + data; crp = "HELO " + domain + '\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^2[0-9][0-9] .*", string:data)) { return(0); } trace = trace + 'S : ' + data; if(tryauth) { crp = "AUTH CRAM-MD5\r\n"; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) { return(0); } trace = trace + 'S : ' + data; crp = "ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2Z==\r\n"; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) { return(0); } trace = trace + 'S : ' + data; } crp = "MAIL FROM: <test_1@" + domain + '>\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) { return(0); } trace = trace + 'S : ' + data; crp = "RCPT TO: <test_2@" + domain + '>\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); i = recv_line(socket:soc, length:1024); if(preg(pattern:"^250 ", string:i)) { trace = trace + 'S : ' + i; crp = 'DATA\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); r = recv_line(socket:soc, length:1024); if(preg(pattern:"^3[0-9][0-9] .*", string:r)) { trace = trace + 'S : ' + r; report = "An internal SMTP open relay has been detected."; if (report_verbosity > 0) { trace = '\n ' + str_replace(find:'\n', replace:'\n ', string:trace); trace = chomp(trace); report = report + '\nHere is a trace of the traffic that demonstrates the open relay :\n' + trace; } # report results (KB and output) set_kb_item(name:"SMTP/relay", value:TRUE); set_kb_item(name:"SMTP/" + port + "/relay", value:TRUE); security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); } } close(soc); } smtp_test_relay(tryauth: 0); smtp_test_relay(tryauth: 1);NASL family SMTP problems NASL id SMTP_RELAY2.NASL description Nessus has detected that the remote SMTP server is insufficiently protected against mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted. last seen 2020-06-01 modified 2020-06-02 plugin id 11852 published 2003-09-26 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11852 title MTA Open Mail Relaying Allowed (thorough test) code # # (C) Tenable Network Security, Inc. # # References # Date: Mon, 25 Aug 2003 05:38:53 -0700 # From: "st0ff st0ff" <[email protected]> # Subject: Can NT4 SMTP Service be misused for mail spamming # To: [email protected] # # Date: Fri, 19 Sep 2003 16:47:45 +0200 # De: [email protected] # Subject: Re: Can NT4 SMTP Service be misused for mail spamming # To: [email protected] # include("compat.inc"); if(description) { script_id(11852); script_version ("1.25"); script_cvs_date("Date: 2018/08/03 11:35:08"); script_cve_id( "CVE-1999-0512", "CVE-2002-1278", "CVE-2003-0285" ); script_bugtraq_id( 7580, 8196, 83209 ); script_name(english:"MTA Open Mail Relaying Allowed (thorough test)"); script_summary(english:"Tries misc invalid tricks to circumvent anti-relay functions."); script_set_attribute(attribute:"synopsis", value: "An open SMTP relay is running on the remote host." ); script_set_attribute(attribute:"description", value: "Nessus has detected that the remote SMTP server is insufficiently protected against mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted."); script_set_attribute(attribute:"solution", value: "Reconfigure your SMTP server so that it cannot be used as an indiscriminate SMTP relay. Make sure that the server uses appropriate access controls to limit the extent to which relaying is possible."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam"); script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01"); script_set_attribute(attribute:"plugin_publication_date", value: "2003/09/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_relay.nasl", "smtp_settings.nasl"); script_require_ports("Services/smtp", 25); exit(0); } # include("global_settings.inc"); include("smtp_func.inc"); include("misc_func.inc"); include("network_func.inc"); # can't perform this test on localhost if(islocalhost())exit(0); if (is_private_addr()) exit(0); port = get_service(svc:"smtp", default: 25, exit_on_fail: 1); if (get_kb_item('SMTP/'+port+'/broken')) exit(0); # No use to try "advanced" tests if it is a wide open relay if (get_kb_item("SMTP/" + port + "/spam")) exit(0); domain = get_kb_item("Settings/third_party_domain"); if (! domain) domain = 'example.edu'; soc = smtp_open(port: port, helo: NULL); if (! soc) exit(0); dest_name = get_host_name(); dest_ip = get_host_ip(); dest_name = get_host_name(); src_name = this_host_name(); t1 = strcat('nobody@', domain); f1 = strcat('nessus@', dest_name); f2 = strcat('nessus@[', dest_ip, ']'); i= 0; from_l[i] = strcat("nobody@", domain); to_l[i] = t1; i ++; from_l[i] = strcat("nessus@", rand_str(), ".", domain); to_l[i] = t1; i ++; from_l[i] = "nessus@localhost"; to_l[i] = t1; i ++; from_l[i] = "nessus"; to_l[i] = t1; i ++; from_l[i] = ""; to_l[i] = t1; i ++; from_l[i] = ""; to_l[i] = t1; i ++; from_l[i] = strcat("nessus@", dest_name); to_l[i] = t1; i ++; from_l[i] = strcat("nessus@[", dest_ip, "]"); to_l[i] = t1; i ++; #from_l[i] = strcat("nessus@", dest_name); #to_l[i] = strcat("nobody%", domain, "@", dest_name); #i ++; #from_l[i] = strcat("nessus@", dest_name); #to_l[i] = strcat("nobody%", domain, "@[", dest_ip, "]"); #i ++; from_l[i] = strcat("nessus@", dest_name); to_l[i] = strcat('nobody@', domain, '@', dest_name); i ++; from_l[i] = strcat("nessus@", dest_name); to_l[i] = strcat('"nobody@', domain, '"@[', dest_ip, ']'); i ++; from_l[i] = f1; to_l[i] = strcat('nobody@', domain, '@[', dest_ip, ']'); i ++; from_l[i] = f2; to_l[i] = strcat('@', dest_name, ':nobody@', domain); i ++; from_l[i] = f1; to_l[i] = strcat('@[', dest_ip, ']:nobody@', domain); i ++; from_l[i] = f1; to_l[i] = strcat(domain, '!nobody@[', dest_ip, ']'); i ++; from_l[i] = strcat('postmaster@', dest_name); to_l[i] = t1; i ++; rep = ''; send(socket: soc, data: strcat('HELO ', src_name, '\r\n')); smtp_recv_line(socket: soc); for (i = 0; soc && (from_l[i] || to_l[i]); i ++) { mf = strcat('MAIL FROM: <', from_l[i], '>\r\n'); send(socket: soc, data: mf); l = smtp_recv_line(socket: soc); if (! l || l =~ '^5[0-9][0-9]') { smtp_close(socket: soc); soc = smtp_open(port: port, helo: domain); } else { rt = strcat('RCPT TO: <', to_l[i], '>\r\n'); send(socket: soc, data: rt); l = smtp_recv_line(socket: soc); if (l =~ '^2[0-9][0-9]') { flag = 1; # Postfix may defer the error message until the DATA command. send(socket: soc, data: 'DATA\r\n'); l = smtp_recv_line(socket: soc); if (l =~ '^3[0-9][0-9]') { flag = 1; # Violently close the socket so that we do not send an empty message close(soc); soc = NULL; } else flag = 0; if (flag) { mf -= '\r\n'; rt -= '\r\n'; rep = strcat(rep, '\t', mf, '\n\t', rt, '\n\n'); break; } } if (soc != NULL) smtp_close(socket: soc); soc = smtp_open(port: port, helo: NULL); } } if (rep) { security_hole(port: port, extra: strcat('\nNessus was able to relay mails by sending those sequences :\n\n', rep)); set_kb_item(name:"SMTP/" + port + "/spam", value:TRUE); set_kb_item(name:"SMTP/spam", value:TRUE); }NASL family SMTP problems NASL id SMTP_RELAY.NASL description Nessus has detected that the remote SMTP server allows mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted. last seen 2020-06-01 modified 2020-06-02 plugin id 10262 published 1999-06-22 reporter This script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10262 title MTA Open Mail Relaying Allowed code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if(description) { script_id(10262); script_version ("1.63"); script_cvs_date("Date: 2019/10/11 16:09:41"); script_cve_id( "CVE-1999-0512", "CVE-2002-1278", "CVE-2003-0285" ); script_bugtraq_id( 7580, 8196, 83209 ); script_name(english:"MTA Open Mail Relaying Allowed"); script_summary(english:"Checks if the remote mail server can be used to relay email."); script_set_attribute(attribute:"synopsis", value: "An open SMTP relay is running on the remote host."); script_set_attribute(attribute:"description", value: "Nessus has detected that the remote SMTP server allows mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted."); script_set_attribute(attribute:"solution", value: "Reconfigure your SMTP server so that it cannot be used as an indiscriminate SMTP relay. Make sure that the server uses appropriate access controls to limit the extent to which relaying is possible."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0512"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam"); script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01"); script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_settings.nasl"); script_exclude_keys("SMTP/wrapped", "SMTP/qmail"); script_require_ports("Services/smtp", 25); exit(0); } # # The script code starts here # include('global_settings.inc'); include('misc_func.inc'); include('network_func.inc'); include('smtp_func.inc'); if (is_private_addr()&& report_paranoia < 2) exit(0, 'This check is not effective when the target is on a private network.'); # can't perform this test on localhost if(islocalhost())exit(0, 'This check is not effective when the target is the localhost.'); # can't perform this test on the local net if(islocalnet())exit(0, 'This check is not effective when the target is on the local network.'); port = get_service(svc:'smtp', default:25, exit_on_fail:TRUE); if (get_kb_item('SMTP/'+port+'/broken')) exit(0, 'The SMTP server on port '+port+' is broken.'); domain = get_kb_item('Settings/third_party_domain'); if (!domain) domain = 'example.edu'; function smtp_test_relay(tryauth) { local_var crp, data, i, r, report, soc, trace; soc = open_sock_tcp(port); if (!soc) exit(1, "Can't open socket on port "+port+'.'); data = smtp_recv_banner(socket:soc); if (!data) { close(soc); exit(1, 'Failed to receive the banner from the SMTP server on port '+port+'.'); } trace = 'S : ' + data; crp = 'HELO ' + domain + '\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^2[0-9][0-9] .*", string:data)) return(0); trace = trace + 'S : ' + data; if(tryauth) { crp = 'AUTH CRAM-MD5\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0); trace = trace + 'S : ' + data; crp = 'ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2Z==\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0); trace = trace + 'S : ' + data; } crp = 'MAIL FROM: <test_1@' + domain + '>\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); data = recv_line(socket:soc, length:1024); if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0); trace = trace + 'S : ' + data; crp = 'RCPT TO: <test_2@' + domain + '>\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); i = recv_line(socket:soc, length:1024); if(preg(pattern:'^250 ', string:i)) { trace = trace + 'S : ' + i; crp = 'DATA\r\n'; trace = trace + 'C : ' + crp; send(socket:soc, data:crp); r = recv_line(socket:soc, length:1024); if(preg(pattern:"^3[0-9][0-9] .*", string:r)) { trace = trace + 'S : ' + r; if (report_verbosity > 0) { trace = '\n ' + str_replace(find:'\n', replace:'\n ', string:trace); trace = chomp(trace); report = '\nHere is a trace of the traffic that demonstrates the issue :' + '\n' + trace; security_hole(port:port, extra:report); } else security_hole(port); set_kb_item(name:'SMTP/spam', value:TRUE); set_kb_item(name:'SMTP/' + port + '/spam', value:TRUE); } } close(soc); } smtp_test_relay(tryauth: 0); smtp_test_relay(tryauth: 1);
References
- http://marc.info/?l=bugtraq&m=105284689228961&w=2
- http://marc.info/?l=bugtraq&m=105284689228961&w=2
- http://security.sdsc.edu/advisories/2003.05.13-AIX-sendmail.txt
- http://security.sdsc.edu/advisories/2003.05.13-AIX-sendmail.txt
- http://www.kb.cert.org/vuls/id/814617
- http://www.kb.cert.org/vuls/id/814617
- http://www.securityfocus.com/bid/7580
- http://www.securityfocus.com/bid/7580
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11993
- https://exchange.xforce.ibmcloud.com/vulnerabilities/11993