Vulnerabilities > CVE-2003-0285 - Unspecified vulnerability in IBM AIX

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
ibm
nessus
NVD
Published: 2003-06-16
Updated: 2017-07-11

Summary

IBM AIX 5.2 and earlier distributes Sendmail with a configuration file (sendmail.cf) with the (1) promiscuous_relay, (2) accept_unresolvable_domains, and (3) accept_unqualified_senders features enabled, which allows Sendmail to be used as an open mail relay for sending spam e-mail.

Vulnerable Configurations

Part Description Count
OS
Ibm
33

Nessus

  • NASL familySMTP problems
    NASL idINTERNAL_SMTP_RELAY_DETECTION.NASL
    descriptionNessus has detected that this internal SMTP server allows mail relaying.
    last seen2020-06-02
    modified2018-10-10
    plugin id118017
    published2018-10-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118017
    titleMTA Open Mail Relaying Allowed (internal)
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
  script_id(118017);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01");

  script_cve_id(
    "CVE-1999-0512",
    "CVE-2002-1278",
    "CVE-2003-0285"
  );
  script_bugtraq_id(
    7580,
    8196,
    83209
  );

  script_name(english:"MTA Open Mail Relaying Allowed (internal)"); 
  script_summary(english:"Checks if the internal mail server can be used to relay email.");

  script_set_attribute(attribute:"synopsis", value:
"An open SMTP relay is running on the host.");
  script_set_attribute(attribute:"description", value:
"Nessus has detected that this internal SMTP server allows mail relaying.");
  script_set_attribute(attribute:"solution", value:"Reconfigure your 
SMTP server so that it cannot be used as an
indiscriminate SMTP relay. Make sure that the server uses appropriate
access controls to limit the extent to which relaying is possible.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"manual");
  script_set_attribute(attribute:"cvss_score_rationale", value:"score from a more in depth analysis done by Tenable");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Open_mail_relay");
 
  script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/10");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_settings.nasl");
  script_exclude_keys("SMTP/wrapped", "SMTP/qmail");
  script_require_ports("Services/smtp", 25);
  script_require_keys("Settings/ParanoidReport");

  exit(0);
}

include('global_settings.inc');
include('misc_func.inc');
include('network_func.inc');
include("smtp_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# check the network is private
if (!is_private_addr()) 
{
  exit(0, "This check is only intended for internal SMTP open relays.");
}

# check port
port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
if (get_kb_item('SMTP/'+port+'/broken')) 
{
  exit(0, "The SMTP server on port "+port+" is broken.");
}

# this value is set in scan/assessment/smtp third party domain
domain = get_kb_item("Settings/third_party_domain");
if (!domain) 
{
  domain = 'example.edu';
}

# perform the SMTP communication
function smtp_test_relay(tryauth)
{
  local_var crp, data, i, r, report, soc, trace;
 
  soc = open_sock_tcp(port);
  if (!soc) exit(1, "Can't open socket on port "+port+".");
  data = smtp_recv_banner(socket:soc);
  if (!data) 
  {
    close(soc);
    exit(1, "Failed to receive the banner from the SMTP server on port "+port+".");
  }
  trace = 'S : ' + data;
 
  crp = "HELO " + domain + '\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  data = recv_line(socket:soc, length:1024);
  if(!preg(pattern:"^2[0-9][0-9] .*", string:data)) 
  {
    return(0);
  }
  trace = trace + 'S : ' + data;
  if(tryauth)
  {
    crp = "AUTH CRAM-MD5\r\n";
    trace = trace + 'C : ' + crp;
    send(socket:soc, data:crp);
    data = recv_line(socket:soc, length:1024);
    if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) 
    {
      return(0);
    }
    trace = trace + 'S : ' + data;
 
    crp = "ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2Z==\r\n";
    trace = trace + 'C : ' + crp;
    send(socket:soc, data:crp);
    data = recv_line(socket:soc, length:1024);
    if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) 
    {
      return(0);
    }
    trace = trace + 'S : ' + data;
  }
  
  crp = "MAIL FROM: <test_1@" + domain + '>\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  data = recv_line(socket:soc, length:1024);
  if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) 
  {
    return(0);
  }
  trace = trace + 'S : ' + data;
 
  crp = "RCPT TO: <test_2@" + domain + '>\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  i = recv_line(socket:soc, length:1024);
  if(preg(pattern:"^250 ", string:i))
  {
    trace = trace + 'S : ' + i;
    crp = 'DATA\r\n';
    trace = trace + 'C : ' + crp;
    send(socket:soc, data:crp);
    r = recv_line(socket:soc, length:1024);
    if(preg(pattern:"^3[0-9][0-9] .*", string:r))
    {
      trace = trace + 'S : ' + r;
      report = "An internal SMTP open relay has been detected.";
      if (report_verbosity > 0)
      {
        trace = '\n  ' + str_replace(find:'\n', replace:'\n  ', string:trace);
        trace = chomp(trace);
        report = report + '\nHere is a trace of the traffic that demonstrates the open relay :\n' + trace;
      }
      # report results (KB and output)
      set_kb_item(name:"SMTP/relay", value:TRUE);
      set_kb_item(name:"SMTP/" + port + "/relay", value:TRUE);
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    }
  }
  close(soc);
}

smtp_test_relay(tryauth: 0);
smtp_test_relay(tryauth: 1);
  • NASL familySMTP problems
    NASL idSMTP_RELAY2.NASL
    descriptionNessus has detected that the remote SMTP server is insufficiently protected against mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted.
    last seen2020-06-01
    modified2020-06-02
    plugin id11852
    published2003-09-26
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11852
    titleMTA Open Mail Relaying Allowed (thorough test)
    code
    #
# (C) Tenable Network Security, Inc.
#

# References
# Date: Mon, 25 Aug 2003 05:38:53 -0700
# From: "st0ff st0ff" <[email protected]>
# Subject: Can NT4 SMTP Service be misused for mail spamming
# To: [email protected]
#
# Date:	 Fri, 19 Sep 2003 16:47:45 +0200
# De:	[email protected]
# Subject:	Re: Can NT4 SMTP Service be misused for mail spamming
# To:	[email protected]
#

include("compat.inc");

if(description)
{
 script_id(11852);
 script_version ("1.25");
 script_cvs_date("Date: 2018/08/03 11:35:08");

 script_cve_id(
  "CVE-1999-0512",
  "CVE-2002-1278",
  "CVE-2003-0285"
 );
 script_bugtraq_id(
  7580,
  8196,
  83209
 );

 script_name(english:"MTA Open Mail Relaying Allowed (thorough test)");
 script_summary(english:"Tries misc invalid tricks to circumvent anti-relay functions."); 
 
 script_set_attribute(attribute:"synopsis", value:
"An open SMTP relay is running on the remote host." );
 script_set_attribute(attribute:"description", value:
"Nessus has detected that the remote SMTP server is insufficiently
protected against mail relaying. This issue allows any spammer to use
your mail server to send their mail to the world, thus flooding your
network bandwidth and possibly getting your mail server blacklisted.");
 script_set_attribute(attribute:"solution", value:
"Reconfigure your SMTP server so that it cannot be used as an
indiscriminate SMTP relay. Make sure that the server uses appropriate
access controls to limit the extent to which relaying is possible.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam");

 script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01");
 script_set_attribute(attribute:"plugin_publication_date", value: "2003/09/26");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"SMTP problems");

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");

 script_dependencie("smtpserver_detect.nasl", "sendmail_expn.nasl",
	"smtp_relay.nasl", "smtp_settings.nasl");
 script_require_ports("Services/smtp", 25);

 exit(0);
}

#

include("global_settings.inc");
include("smtp_func.inc");
include("misc_func.inc");
include("network_func.inc");

# can't perform this test on localhost
if(islocalhost())exit(0);

if (is_private_addr()) exit(0);

port = get_service(svc:"smtp", default: 25, exit_on_fail: 1);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0);

# No use to try "advanced" tests if it is a wide open relay
if (get_kb_item("SMTP/" + port + "/spam")) exit(0);

domain = get_kb_item("Settings/third_party_domain");
if (! domain) domain = 'example.edu';

soc = smtp_open(port: port, helo: NULL);
if (! soc) exit(0);
 
dest_name = get_host_name();
dest_ip = get_host_ip();
dest_name = get_host_name();
src_name = this_host_name();

t1 = strcat('nobody@', domain);
f1 = strcat('nessus@', dest_name);
f2 = strcat('nessus@[', dest_ip, ']');

i= 0;
from_l[i] = strcat("nobody@", domain);
to_l[i] = t1;
i ++;
from_l[i] = strcat("nessus@", rand_str(), ".", domain);
to_l[i] = t1;
i ++;
from_l[i] = "nessus@localhost";
to_l[i] = t1;
i ++;
from_l[i] = "nessus";
to_l[i] = t1;
i ++;
from_l[i] = "";
to_l[i] = t1;
i ++;
from_l[i] = "";
to_l[i] = t1;
i ++;
from_l[i] = strcat("nessus@", dest_name);
to_l[i] = t1;
i ++;
from_l[i] = strcat("nessus@[", dest_ip, "]");
to_l[i] = t1;
i ++;
#from_l[i] = strcat("nessus@", dest_name);
#to_l[i] = strcat("nobody%", domain, "@", dest_name);
#i ++;
#from_l[i] = strcat("nessus@", dest_name);
#to_l[i] = strcat("nobody%", domain, "@[", dest_ip, "]");
#i ++;
from_l[i] = strcat("nessus@", dest_name);
to_l[i] = strcat('nobody@', domain, '@', dest_name);
i ++;
from_l[i] = strcat("nessus@", dest_name);
to_l[i] = strcat('"nobody@', domain, '"@[', dest_ip, ']');
i ++;
from_l[i] = f1;
to_l[i] = strcat('nobody@', domain, '@[', dest_ip, ']');
i ++;
from_l[i] = f2;
to_l[i] = strcat('@', dest_name, ':nobody@', domain);
i ++;
from_l[i] = f1;
to_l[i] = strcat('@[', dest_ip, ']:nobody@', domain);
i ++;
from_l[i] = f1;
to_l[i] = strcat(domain, '!nobody@[', dest_ip, ']');
i ++;
from_l[i] = strcat('postmaster@', dest_name);
to_l[i] = t1;
i ++;

rep = '';
send(socket: soc, data: strcat('HELO ', src_name, '\r\n'));
smtp_recv_line(socket: soc);
for (i = 0; soc && (from_l[i] || to_l[i]); i ++)
{
  mf = strcat('MAIL FROM: <', from_l[i], '>\r\n');
  send(socket: soc, data: mf);
  l = smtp_recv_line(socket: soc);
  if (! l || l =~ '^5[0-9][0-9]')
  {
    smtp_close(socket: soc);
    soc = smtp_open(port: port, helo: domain);
  }
  else
  {
    rt = strcat('RCPT TO: <', to_l[i], '>\r\n');
    send(socket: soc, data: rt);
    l = smtp_recv_line(socket: soc);
    if (l =~ '^2[0-9][0-9]')
    {
      flag = 1;
      # Postfix may defer the error message until the DATA command.
      send(socket: soc, data: 'DATA\r\n');
      l = smtp_recv_line(socket: soc);
      if (l =~ '^3[0-9][0-9]')
      {
        flag = 1;
	# Violently close the socket so that we do not send an empty message
	close(soc); soc = NULL;
      }
      else
        flag = 0;

      if (flag)
      {
        mf -= '\r\n'; rt -= '\r\n';
        rep = strcat(rep, '\t', mf, '\n\t', rt, '\n\n');
        break;
      }
    }
    
    if (soc != NULL)
      smtp_close(socket: soc);
    soc = smtp_open(port: port, helo: NULL);
   }
}

if (rep)
{
  security_hole(port: port, extra: 
strcat('\nNessus was able to relay mails by sending those sequences :\n\n', rep));
  set_kb_item(name:"SMTP/" + port + "/spam", value:TRUE);
  set_kb_item(name:"SMTP/spam", value:TRUE);
}
  • NASL familySMTP problems
    NASL idSMTP_RELAY.NASL
    descriptionNessus has detected that the remote SMTP server allows mail relaying. This issue allows any spammer to use your mail server to send their mail to the world, thus flooding your network bandwidth and possibly getting your mail server blacklisted.
    last seen2020-06-01
    modified2020-06-02
    plugin id10262
    published1999-06-22
    reporterThis script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/10262
    titleMTA Open Mail Relaying Allowed
    code
    #
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if(description)
{
 script_id(10262);
 script_version ("1.63");
 script_cvs_date("Date: 2019/10/11 16:09:41");

 script_cve_id(
  "CVE-1999-0512",
  "CVE-2002-1278",
  "CVE-2003-0285"
 );
 script_bugtraq_id(
  7580,
  8196,
  83209
 );

 script_name(english:"MTA Open Mail Relaying Allowed");
 script_summary(english:"Checks if the remote mail server can be used to relay email.");
 
 script_set_attribute(attribute:"synopsis", value:
"An open SMTP relay is running on the remote host.");
 script_set_attribute(attribute:"description", value:
"Nessus has detected that the remote SMTP server allows mail relaying.
This issue allows any spammer to use your mail server to send their
mail to the world, thus flooding your network bandwidth and possibly
getting your mail server blacklisted.");
 script_set_attribute(attribute:"solution", value:
"Reconfigure your SMTP server so that it cannot be used as an
indiscriminate SMTP relay. Make sure that the server uses appropriate
access controls to limit the extent to which relaying is possible.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:ND/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:X/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0512");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"see_also", value:"https://en.wikipedia.org/wiki/Email_spam");

 script_set_attribute(attribute:"vuln_publication_date", value:"1990/01/01");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

 script_dependencies("smtpserver_detect.nasl", "sendmail_expn.nasl", "smtp_settings.nasl");
 script_exclude_keys("SMTP/wrapped", "SMTP/qmail");
 script_require_ports("Services/smtp", 25);

 exit(0);
}

#
# The script code starts here
#

include('global_settings.inc');
include('misc_func.inc');
include('network_func.inc');
include('smtp_func.inc');

if (is_private_addr()&& report_paranoia < 2) exit(0, 'This check is not effective when the target is on a private network.');

# can't perform this test on localhost
if(islocalhost())exit(0, 'This check is not effective when the target is the localhost.');

# can't perform this test on the local net
if(islocalnet())exit(0, 'This check is not effective when the target is on the local network.');

port = get_service(svc:'smtp', default:25, exit_on_fail:TRUE);
if (get_kb_item('SMTP/'+port+'/broken')) exit(0, 'The SMTP server on port '+port+' is broken.');


domain = get_kb_item('Settings/third_party_domain');
if (!domain) domain = 'example.edu';

 
function smtp_test_relay(tryauth)
{
 local_var crp, data, i, r, report, soc, trace;

 soc = open_sock_tcp(port);
 if (!soc) exit(1, "Can't open socket on port "+port+'.');
 data = smtp_recv_banner(socket:soc);
 if (!data) 
 {
  close(soc);
  exit(1, 'Failed to receive the banner from the SMTP server on port '+port+'.');
 }
 trace = 'S : ' + data;

 crp = 'HELO ' + domain + '\r\n';
 trace = trace + 'C : ' + crp;
 send(socket:soc, data:crp);
 data = recv_line(socket:soc, length:1024);
 if(!preg(pattern:"^2[0-9][0-9] .*", string:data)) return(0);
 trace = trace + 'S : ' + data;
 if(tryauth)
 {
  crp = 'AUTH CRAM-MD5\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  data = recv_line(socket:soc, length:1024);
  if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0);
  trace = trace + 'S : ' + data;

  crp = 'ZnJlZCA5ZTk1YWVlMDljNDBhZjJiODRhMGMyYjNiYmFlNzg2Z==\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  data = recv_line(socket:soc, length:1024);
  if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0);
  trace = trace + 'S : ' + data;
 }

 crp = 'MAIL FROM: <test_1@' + domain + '>\r\n';
 trace = trace + 'C : ' + crp;
 send(socket:soc, data:crp);
 data = recv_line(socket:soc, length:1024);
 if(!preg(pattern:"^[2-3][0-9][0-9] .*", string:data)) return(0);
 trace = trace + 'S : ' + data;

 crp = 'RCPT TO: <test_2@' + domain + '>\r\n';
 trace = trace + 'C : ' + crp;
 send(socket:soc, data:crp);
 i = recv_line(socket:soc, length:1024);
 if(preg(pattern:'^250 ', string:i))
 {
  trace = trace + 'S : ' + i;
  crp = 'DATA\r\n';
  trace = trace + 'C : ' + crp;
  send(socket:soc, data:crp);
  r = recv_line(socket:soc, length:1024);
  if(preg(pattern:"^3[0-9][0-9] .*", string:r))
  {
   trace = trace + 'S : ' + r;
   if (report_verbosity > 0)
   {
     trace = '\n  ' + str_replace(find:'\n', replace:'\n  ', string:trace);
     trace = chomp(trace);

     report = 
       '\nHere is a trace of the traffic that demonstrates the issue :' + 
	   '\n' + trace;
     security_hole(port:port, extra:report);
   }
   else security_hole(port);
   set_kb_item(name:'SMTP/spam', value:TRUE);
   set_kb_item(name:'SMTP/' + port + '/spam', value:TRUE);
  }
 }
 close(soc);
}

smtp_test_relay(tryauth: 0);
smtp_test_relay(tryauth: 1);

References