Re: Exploit CVE-2019-19521?

2019-12-06 Thread Tim van der Molen 
Henry Jensen (2019-12-04 23:08 +0100):
> $ openssl s_client -connect 192.168.56.121:25 -starttls smtp
...
> I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box.
> But I didn't get much further. After the authentication succeeded
> I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the
> connection was aborted.

That is openssl s_client getting in your way. From the man page:

 When used interactively (which means neither -quiet nor -ign_eof have
 been given), the session will be renegotiated if the line begins with an
 R; if the line begins with a Q or if end of file is reached, the
 connection will be closed down.

The workaround is to use lowercase commands.

Re: Exploit CVE-2019-19521?

2019-12-04 Thread Gilles Chehade 
On Wed, Dec 04, 2019 at 11:08:44PM +0100, Henry Jensen wrote:
> Hi,
> 

Hi,


> from https://seclists.org/oss-sec/2019/q4/120
> 
> ==
> 1.2. Case study: smtpd
> ==
> 
> To demonstrate how smtpd's authentication can be bypassed, we follow the
> instructions from the manual page of smtpd.conf:
> 
> [...]
>
> I did verify, that this attack worked on my unpatched OpenBSD 6.6 Box.
> But I didn't get much further. After the authentication succeeded
> I continued with MAIL FROM: and RCPT TO: After the RCPT TO: the
> connection was aborted. After I patched my system I could no longer get
> a 235 2.0.0 Authentication succeeded message
> 
> Question is: would it have been possible in the "real world" to exploit
> this to relay arbitrary messages (e.g. spam)?
> 

Yes it would have been most definitely possible now if you have yourself
relayed spam, I'll tell you that it's very unlikely this was used.

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles