SMTP Service STARTTLS Plaintext Command Injection

2011-03-1000:00:00

www.tenable.com

1762

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.8%

JSON

The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote, unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase.

Successful exploitation could allow an attacker to steal a victim’s email or associated SASL (Simple Authentication and Security Layer) credentials.

#
# (C) Tenable Network Security, Inc.
#


if ( NASL_LEVEL < 4000 ) exit(0);


include("compat.inc");


if (description)
{
  script_id(52611);
  script_version("1.21");
  script_cvs_date("Date: 2019/03/06 18:38:55");

  script_cve_id(
    "CVE-2011-0411",
    "CVE-2011-1430",
    "CVE-2011-1431",
    "CVE-2011-1432",
    "CVE-2011-1506",
    "CVE-2011-2165"
  );
  script_bugtraq_id(46767);
  script_xref(name:"CERT", value:"555316");

  script_name(english:"SMTP Service STARTTLS Plaintext Command Injection");
  script_summary(english:"Tries to inject a command along with STARTTLS");

  script_set_attribute(
    attribute:"synopsis",
    value:
"The remote mail service allows plaintext command injection while 
negotiating an encrypted communications channel."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote SMTP service contains a software flaw in its STARTTLS
implementation that could allow a remote, unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase. 

Successful exploitation could allow an attacker to steal a victim's
email or associated SASL (Simple Authentication and Security Layer)
credentials."
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://tools.ietf.org/html/rfc2487"
  );
  script_set_attribute(
    attribute:"see_also", 
    value:"https://www.securityfocus.com/archive/1/516901/30/0/threaded"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Contact the vendor to see if an update is available."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/10");

  script_set_attribute(attribute:"plugin_type", value:"remote");

  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"SMTP problems");

  script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");

  script_dependencies("smtp_starttls.nasl");
  script_require_ports("Services/smtp", 25);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("smtp_func.inc");


port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
if (!get_kb_item("smtp/"+port+"/starttls"))
{
  if (get_kb_item("smtp/"+port+"/starttls_tested"))
    exit(0, "The SMTP server on port "+port+" does not support STARTTLS.");

  encaps = get_kb_item("Transports/TCP/"+port);
  if (encaps && encaps > ENCAPS_IP) 
    exit(0, "The SMTP server on port "+port+" always encrypts traffic.");
}


soc = smtp_open(port:port, helo:compat::this_host());
if (!soc) exit(1, "Can't open socket on port "+port+".");


# Send the exploit.
c = 'STARTTLS\r\nRSET\r\n';
send(socket:soc, data:c);
s1 = smtp_recv_line(socket:soc);
if (strlen(s1)) s1 = chomp(s1);

if (strlen(s1) < 4)
{
  smtp_close(socket:soc);

  if (strlen(s1)) errmsg = "The SMTP server on port "+port+" sent an invalid response (" + s1 + ").";
  else errmsg = "The SMTP server on port "+port+" failed to respond to a 'STARTTLS' command.";
  exit(1, errmsg);
}
if (substr(s1, 0, 2) != "220") exit(1, "The SMTP server on port "+port+" did not accept the command (", s1, ").");

# nb: finally, we need to make sure the second command worked.
soc = socket_negotiate_ssl(socket:soc, transport:ENCAPS_TLSv1);
if (!soc) exit(1, "Failed to negotiate a TLS connection with the SMTP server on port "+port+".");
s2 = smtp_recv_line(socket:soc);
if (strlen(s2)) s2 = chomp(s2);

smtp_close(socket:soc);

if (strlen(s2) == 0) exit(0, "The SMTP server on port "+port+" does not appear to be affected.");
else
{
  if (strlen(s2) >= 3 && substr(s2, 0, 2) == "250")
  {
    if (report_verbosity > 0)
    {
      report = 
        '\n' + 'Nessus sent the following two commands in a single packet :' +
        '\n' +
        '\n' + '  ' + str_replace(find:'\r\n', replace:'\\r\\n', string:c) + 
        '\n' +
        '\n' + 'And the server sent the following two responses :' +
        '\n' +
        '\n' + '  ' + s1 +
        '\n' + '  ' + s2 + '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    exit(0);
  }
  else exit(0, "The SMTP server on port "+port+" does not appear to be affected as it responded '" + s2 + "'.");
}