Vulnerabilities > CVE-2011-1432 - Unspecified vulnerability in SCO Scoofficeserver

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
sco
nessus

Summary

The STARTTLS implementation in SCO SCOoffice Server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. Per: http://cwe.mitre.org/data/definitions/77.html Improper Neutralization of Special Elements used in a Command ('Command Injection')

Vulnerable Configurations

Part Description Count
Application
Sco
1

Nessus

NASL familySMTP problems
NASL idSMTP_STARTTLS_PLAINTEXT_INJECTION.NASL
descriptionThe remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim
last seen2020-06-01
modified2020-06-02
plugin id52611
published2011-03-10
reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/52611
titleSMTP Service STARTTLS Plaintext Command Injection
code
#
# (C) Tenable Network Security, Inc.
#


if ( NASL_LEVEL < 4000 ) exit(0);


include("compat.inc");


if (description)
{
  script_id(52611);
  script_version("1.21");
  script_cvs_date("Date: 2019/03/06 18:38:55");

  script_cve_id(
    "CVE-2011-0411",
    "CVE-2011-1430",
    "CVE-2011-1431",
    "CVE-2011-1432",
    "CVE-2011-1506",
    "CVE-2011-2165"
  );
  script_bugtraq_id(46767);
  script_xref(name:"CERT", value:"555316");

  script_name(english:"SMTP Service STARTTLS Plaintext Command Injection");
  script_summary(english:"Tries to inject a command along with STARTTLS");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote mail service allows plaintext command injection while 
negotiating an encrypted communications channel."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote SMTP service contains a software flaw in its STARTTLS
implementation that could allow a remote, unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase. 

Successful exploitation could allow an attacker to steal a victim's
email or associated SASL (Simple Authentication and Security Layer)
credentials."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://tools.ietf.org/html/rfc2487"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://www.securityfocus.com/archive/1/516901/30/0/threaded"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Contact the vendor to see if an update is available."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");

  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");

  script_dependencies("smtp_starttls.nasl");
  script_require_ports("Services/smtp", 25);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");


port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
if (!get_kb_item("smtp/"+port+"/starttls"))
{
  if (get_kb_item("smtp/"+port+"/starttls_tested"))
    exit(0, "The SMTP server on port "+port+" does not support STARTTLS.");

  encaps = get_kb_item("Transports/TCP/"+port);
  if (encaps && encaps > ENCAPS_IP) 
    exit(0, "The SMTP server on port "+port+" always encrypts traffic.");
}


soc = smtp_open(port:port, helo:compat::this_host());
if (!soc) exit(1, "Can't open socket on port "+port+".");


# Send the exploit.
c = 'STARTTLS\r\nRSET\r\n';
send(socket:soc, data:c);
s1 = smtp_recv_line(socket:soc);
if (strlen(s1)) s1 = chomp(s1);

if (strlen(s1) < 4)
{
  smtp_close(socket:soc);

  if (strlen(s1)) errmsg = "The SMTP server on port "+port+" sent an invalid response (" + s1 + ").";
  else errmsg = "The SMTP server on port "+port+" failed to respond to a 'STARTTLS' command.";
  exit(1, errmsg);
}
if (substr(s1, 0, 2) != "220") exit(1, "The SMTP server on port "+port+" did not accept the command (", s1, ").");

# nb: finally, we need to make sure the second command worked.
soc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);
if (!soc) exit(1, "Failed to negotiate a TLS connection with the SMTP server on port "+port+".");
s2 = smtp_recv_line(socket:soc);
if (strlen(s2)) s2 = chomp(s2);

smtp_close(socket:soc);

if (strlen(s2) == 0) exit(0, "The SMTP server on port "+port+" does not appear to be affected.");
else
{
  if (strlen(s2) >= 3 && substr(s2, 0, 2) == "250")
  {
    if (report_verbosity > 0)
    {
      report = 
        '\n' + 'Nessus sent the following two commands in a single packet :' +
        '\n' +
        '\n' + '  ' + str_replace(find:'\r\n', replace:'\\r\\n', string:c) + 
        '\n' +
        '\n' + 'And the server sent the following two responses :' +
        '\n' +
        '\n' + '  ' + s1 +
        '\n' + '  ' + s2 + '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    exit(0);
  }
  else exit(0, "The SMTP server on port "+port+" does not appear to be affected as it responded '" + s2 + "'.");
}