Re: Anyone recognises this ?

From: H D Moore (sflist@digitaloffense.net)
Date: Wed Jul 03 2002 - 17:56:57 EDT

• Next message: Marco van Berkum: "Re: Anyone recognises this ?"
• Previous message: Rainer Duffner: "Remotely hacking Novell ?"
• In reply to: Marco van Berkum: "Anyone recognises this ?"
• Next in thread: Marco van Berkum: "Re: Anyone recognises this ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The banner you see is actually a PIX firewall wrapping the SMTP connection.
The goal is to enable only a specific set of commands, thereby protecting the
SMTP daemon from any information gathering attacks. There is a bug in some
releases which dont accurately maintain the "state" of the SMTP connection
and allow for arbitrary commands to be sent to the backend server. You do
this by specifying a DATA command before the RCPT TO, followed immediately by
the command you want to send. So to fingerprint the backend service, you
would send something like this:

telnet xxx.xxx.xxx.xxx 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.
220*********************************************0************200**************
HELO
250 somehost Ok
MAIL FROM: user@example.org
250 Ok
DATA
503 No recipients: need RCPT
HELP
214-Commands:
214- HELO MAIL RCPT DATA RSET
214- NOOP QUIT HELP VRFY ETRN
214- XEXCH50 STARTTLS AUTH
214 End of HELP info
354 Enter mail, end with "." on a line by itself

Without that initial "DATA", the HELP command would return an "invalid
command" or similar response... The HELP output above would identify this as
an Exchange 5.x Internet Mail Service. More information about this bug in
particular can be found here:

http://online.securityfocus.com/bid/3365

-HD

On Wednesday 03 July 2002 12:27, Marco van Berkum wrote:
> Can anyone tell me what mailserver this is ?
> It's running on a Novell machine (hostname has been changed)
>
> ws# telnet xxx.xxx.xxx.xxx 25
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xxx.xxx.
> Escape character is '^]'.
> 220
> *********************************************0************200**************
>******* helo
> 250 somehost Ok
> mail from: marco@obit.nl
> 250 Ok
> rcpt to: user@somehost
> 250 Ok
> data
> 354 Enter mail, end with "." on a line by itself
> test
> .
> 250 Ok
> quit
> 221 somehost Closing transmission channel
> Connection closed by foreign host.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Marco van Berkum: "Re: Anyone recognises this ?"
• Previous message: Rainer Duffner: "Remotely hacking Novell ?"
• In reply to: Marco van Berkum: "Anyone recognises this ?"
• Next in thread: Marco van Berkum: "Re: Anyone recognises this ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:23 EDT