Vulnerabilities > CVE-2011-1431 - Unspecified vulnerability in Frederik Vermeulen Netqmail 1.06

CVSS 6.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

frederik-vermeulen

nessus

NVD

Published: 2011-03-16

Updated: 2017-08-17

Summary

The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. Per: http://cwe.mitre.org/data/definitions/77.html Improper Neutralization of Special Elements used in a Command ('Command Injection')

Vulnerable Configurations

Part	Description	Count
Application	Frederik_Vermeulen Frederik Vermeulen Netqmail 1.06	1

Nessus

NASL family	SMTP problems
NASL id	SMTP_STARTTLS_PLAINTEXT_INJECTION.NASL
description	The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim
last seen	2020-06-01
modified	2020-06-02
plugin id	52611
published	2011-03-10
reporter	This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/52611
title	SMTP Service STARTTLS Plaintext Command Injection
code	# # (C) Tenable Network Security, Inc. # if ( NASL_LEVEL < 4000 ) exit(0); include("compat.inc"); if (description) { script_id(52611); script_version("1.21"); script_cvs_date("Date: 2019/03/06 18:38:55"); script_cve_id( "CVE-2011-0411", "CVE-2011-1430", "CVE-2011-1431", "CVE-2011-1432", "CVE-2011-1506", "CVE-2011-2165" ); script_bugtraq_id(46767); script_xref(name:"CERT", value:"555316"); script_name(english:"SMTP Service STARTTLS Plaintext Command Injection"); script_summary(english:"Tries to inject a command along with STARTTLS"); script_set_attribute( attribute:"synopsis", value: "The remote mail service allows plaintext command injection while negotiating an encrypted communications channel." ); script_set_attribute( attribute:"description", value: "The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials." ); script_set_attribute( attribute:"see_also", value:"https://tools.ietf.org/html/rfc2487" ); script_set_attribute( attribute:"see_also", value:"https://www.securityfocus.com/archive/1/516901/30/0/threaded" ); script_set_attribute( attribute:"solution", value:"Contact the vendor to see if an update is available." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/10"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_dependencies("smtp_starttls.nasl"); script_require_ports("Services/smtp", 25); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (!get_kb_item("smtp/"+port+"/starttls")) { if (get_kb_item("smtp/"+port+"/starttls_tested")) exit(0, "The SMTP server on port "+port+" does not support STARTTLS."); encaps = get_kb_item("Transports/TCP/"+port); if (encaps && encaps > ENCAPS_IP) exit(0, "The SMTP server on port "+port+" always encrypts traffic."); } soc = smtp_open(port:port, helo:compat::this_host()); if (!soc) exit(1, "Can't open socket on port "+port+"."); # Send the exploit. c = 'STARTTLS\r\nRSET\r\n'; send(socket:soc, data:c); s1 = smtp_recv_line(socket:soc); if (strlen(s1)) s1 = chomp(s1); if (strlen(s1) < 4) { smtp_close(socket:soc); if (strlen(s1)) errmsg = "The SMTP server on port "+port+" sent an invalid response (" + s1 + ")."; else errmsg = "The SMTP server on port "+port+" failed to respond to a 'STARTTLS' command."; exit(1, errmsg); } if (substr(s1, 0, 2) != "220") exit(1, "The SMTP server on port "+port+" did not accept the command (", s1, ")."); # nb: finally, we need to make sure the second command worked. soc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1); if (!soc) exit(1, "Failed to negotiate a TLS connection with the SMTP server on port "+port+"."); s2 = smtp_recv_line(socket:soc); if (strlen(s2)) s2 = chomp(s2); smtp_close(socket:soc); if (strlen(s2) == 0) exit(0, "The SMTP server on port "+port+" does not appear to be affected."); else { if (strlen(s2) >= 3 && substr(s2, 0, 2) == "250") { if (report_verbosity > 0) { report = '\n' + 'Nessus sent the following two commands in a single packet :' + '\n' + '\n' + ' ' + str_replace(find:'\r\n', replace:'\\r\\n', string:c) + '\n' + '\n' + 'And the server sent the following two responses :' + '\n' + '\n' + ' ' + s1 + '\n' + ' ' + s2 + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The SMTP server on port "+port+" does not appear to be affected as it responded '" + s2 + "'."); }

Summary

Vulnerable Configurations

Nessus

References