Vulnerabilities > CVE-2003-0540 - Denial of Service vulnerability in Multiple Postfix
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 | |
| OS | 2 |
Exploit-Db
description Postfix 1.1.x Denial of Service Vulnerabilities (2). CVE-2003-0540. Dos exploit for linux platform id EDB-ID:22982 last seen 2016-02-02 modified 2003-08-04 published 2003-08-04 reporter [email protected] source https://www.exploit-db.com/download/22982/ title Postfix 1.1.x - Denial of Service Vulnerabilities 2 description Postfix 1.1.x Denial of Service Vulnerabilities (1). CVE-2003-0540. Dos exploit for linux platform id EDB-ID:22981 last seen 2016-02-02 modified 2003-08-04 published 2003-08-04 reporter r3b00t source https://www.exploit-db.com/download/22981/ title Postfix 1.1.x - Denial of Service Vulnerabilities 1
Nessus
NASL family SMTP problems NASL id POSTFIX_VULNS.NASL description The remote host is running a version of Postfix that is as old as or older than 1.1.12. There are two vulnerabilities in this version that could allow an attacker to remotely disable it, or to be used as a DDoS agent against arbitrary hosts. last seen 2020-06-01 modified 2020-06-02 plugin id 11820 published 2003-08-15 reporter This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/11820 title Postfix < 2.0 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(11820); script_version("1.24"); script_cvs_date("Date: 2018/09/24 9:27:18"); script_cve_id("CVE-2003-0468", "CVE-2003-0540"); script_bugtraq_id(8361, 8362); script_xref(name:"RHSA", value:"2003:251-01"); script_xref(name:"SuSE", value:"SUSE-SA:2003:033"); script_name(english:"Postfix < 2.0 Multiple Vulnerabilities"); script_summary(english: "Checks the version of the remote Postfix daemon"); script_set_attribute(attribute:"synopsis", value: "The remote server is vulnerable to a denial of service."); script_set_attribute(attribute:"description", value: "The remote host is running a version of Postfix that is as old as or older than 1.1.12. There are two vulnerabilities in this version that could allow an attacker to remotely disable it, or to be used as a DDoS agent against arbitrary hosts."); script_set_attribute(attribute:"solution", value: "Upgrade to Postfix 2.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2003-0468"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/08/15"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/08/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:postfix:postfix"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english: "SMTP problems"); script_dependencies("smtpscan.nasl", "smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); include("audit.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_kb_item("Services/smtp"); if(!port)port = 25; banner = get_kb_item("smtp/" + port + "/real_banner"); if(!banner) banner = get_kb_item_or_exit("smtp/" + port + "/banner"); if(preg(pattern:".*Postfix 1\.(0\..*|1\.([0-9][^0-9]|1[0-2]))", string:banner)|| preg(pattern:".*Postfix 2001.*", string:banner)) { security_warning(port); }NASL family SuSE Local Security Checks NASL id SUSE_SA_2003_033.NASL description The remote host is missing the patch for the advisory SUSE-SA:2003:033 (postfix). Postfix is a flexible MTA replacement for sendmail. Michal Zalewski has reported problems in postfix which can lead to a remote DoS attack or allow attackers to bounce-scan private networks. These problems have been fixed. Even though not all of our products are vulnerable in their default configurations, the updates should be applied. In order for the update to take effect, you have to restart your MTA by issuing the following command as root: last seen 2020-06-01 modified 2020-06-02 plugin id 13802 published 2004-07-25 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/13802 title SUSE-SA:2003:033: postfix NASL family Debian Local Security Checks NASL id DEBIAN_DSA-363.NASL description The postfix mail transport agent in Debian 3.0 contains two vulnerabilities : - CAN-2003-0468: Postfix would allow an attacker to bounce-scan private networks or use the daemon as a DDoS tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and either receiving a bounce message or observing queue operations to infer the status of the delivery attempt. - CAN-2003-0540: a malformed envelope address can 1) cause the queue manager to lock up until an entry is removed from the queue and 2) lock up the smtp listener leading to a denial of service. last seen 2020-06-01 modified 2020-06-02 plugin id 15200 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15200 title Debian DSA-363-1 : postfix - denial of service, bounce-scanning NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-081.NASL description Two vulnerabilities were discovered in the postfix MTA by Michal Zalewski. Versions prior to 1.1.12 would allow an attacker to bounce- scan private networks or use the daemon as a DDoS (Distributed Denial of Service) tool by forcing the daemon to connect to an arbitrary service at an arbitrary IP address and receiving either a bounce message or by timing. As well, versions prior to 1.1.12 have a bug where a malformed envelope address can cause the queue manager to lock up until an entry is removed from the queue and also lock up the SMTP listener leading to a DoS. Postfix version 1.1.13 corrects these issues. The provided packages have been patched to fix the vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 14063 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14063 title Mandrake Linux Security Advisory : postfix (MDKSA-2003:081)
Oval
| accepted | 2010-09-20T04:00:28.470-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| description | The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:544 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2003-09-02T12:00:00.000-04:00 | ||||||||||||
| title | Denial of Service Vulnerability in Postfix Parser Code | ||||||||||||
| version | 40 |
Redhat
| advisories |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:76766 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-76766 title Postfix 1.1.x Denial of Service Vulnerabilities (1) bulletinFamily exploit description No description provided by source. id SSV:76767 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-76767 title Postfix 1.1.x Denial of Service Vulnerabilities (2)
References
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717
- http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/007693.html
- http://marc.info/?l=bugtraq&m=106001525130257&w=2
- http://marc.info/?l=bugtraq&m=106029188614704&w=2
- http://secunia.com/advisories/9433
- http://www.debian.org/security/2003/dsa-363
- http://www.kb.cert.org/vuls/id/895508
- http://www.linuxsecurity.com/advisories/engarde_advisory-3517.html
- http://www.mandriva.com/security/advisories?name=MDKSA-2003:081
- http://www.novell.com/linux/security/advisories/2003_033_postfix.html
- http://www.redhat.com/support/errata/RHSA-2003-251.html
- http://www.securityfocus.com/bid/8333
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A544