Mailing List Archive: Sambar sendmail false positives

Sambar sendmail false positives

Jan 4, 2002, 12:23 PM

Post #1 of 5 (1043 views)

The Sambar sendmail script has a false positive "elimination" line
that checks for SSL enabled servers talking non-SSL.

Unfortunately, the false positive elimination doesn't work. The line:

if("You're speaking plain HTTP to an SSL-enabled server port" <>
buf)exit(0);

has a number of problems:

- The <> should be ><
- The text should all be in lower case, since the script changes
the buf to lower case.
- The buf never contains this text, because recv_line() was used
instead
of recv().

A modified version of sambar_sendmail.nasl is attached that fixes these
problems, and has been tested and no longer generates these false
positives.

Thomas

#
# Copyright 2000 by Hendrik Scholz <hendrik@scholz.net>
#

if(description)
{
script_id(10415);

name["english"] = "Sambar sendmail /session/sendmail";
script_name(english:name["english"]);

desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!

See http://www.toppoint.de/~hscholz/sambar for more information.

Solution : Try to disable this module. There might be a patch in the future.

Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Sambar /session/sendmail mailer installed ?";

script_summary(english:summary["english"]);

script_category(ACT_ATTACK);

script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");

family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);

script_dependencie("find_service.nes");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here

port = get_kb_item("Services/www");
if(!port)port = 443;
if(get_port_state(port))
{
data = http_get(item:"/session/sendmail", port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:data);
buf = recv(socket:soc, length:4096);
close(soc);
buf = tolower(buf);
if(" 400 invalid header received " >< buf)exit(0);
if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
if(" 400 " >< buf)security_warning(port);
}
}

Re: Sambar sendmail false positives [ In reply to ]

reinke at e-softinc

Jan 4, 2002, 12:26 PM

Post #2 of 5 (1025 views)

Permalink

Ack... the last script is incorrect: for testing had changed the port
to be port 443. The attached script is the correct one.

Thomas

Thomas Reinke wrote:
>
> The Sambar sendmail script has a false positive "elimination" line
> that checks for SSL enabled servers talking non-SSL.
>
> Unfortunately, the false positive elimination doesn't work. The line:
>
> if("You're speaking plain HTTP to an SSL-enabled server port" <>
> buf)exit(0);
>
> has a number of problems:
>
> - The <> should be ><
> - The text should all be in lower case, since the script changes
> the buf to lower case.
> - The buf never contains this text, because recv_line() was used
> instead
> of recv().
>
> A modified version of sambar_sendmail.nasl is attached that fixes these
> problems, and has been tested and no longer generates these false
> positives.
>
> Thomas
>
> ------------------------------------------------------------------------
> #
> # Copyright 2000 by Hendrik Scholz <hendrik@scholz.net>
> #
>
> if(description)
> {
> script_id(10415);
>
> name["english"] = "Sambar sendmail /session/sendmail";
> script_name(english:name["english"]);
>
> desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
>
> See http://www.toppoint.de/~hscholz/sambar for more information.
>
> Solution : Try to disable this module. There might be a patch in the future.
>
> Risk factor : High";
>
> script_description(english:desc["english"]);
>
> summary["english"] = "Sambar /session/sendmail mailer installed ?";
>
> script_summary(english:summary["english"]);
>
> script_category(ACT_ATTACK);
>
>
> script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
>
> family["english"] = "CGI abuses";
> family["francais"] = "Abus de CGI";
> script_family(english:family["english"], francais:family["francais"]);
>
> script_dependencie("find_service.nes");
> script_require_ports("Services/www", 80);
> exit(0);
> }
>
> #
> # The script code starts here
>
> port = get_kb_item("Services/www");
> if(!port)port = 443;
> if(get_port_state(port))
> {
> data = http_get(item:"/session/sendmail", port:port);
> soc = open_sock_tcp(port);
> if(soc)
> {
> send(socket:soc, data:data);
> buf = recv(socket:soc, length:4096);
> close(soc);
> buf = tolower(buf);
> if(" 400 invalid header received " >< buf)exit(0);
> if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
> if(" 400 " >< buf)security_warning(port);
> }
> }

--
------------------------------------------------------------
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831

#
# Copyright 2000 by Hendrik Scholz <hendrik@scholz.net>
#

if(description)
{
script_id(10415);

name["english"] = "Sambar sendmail /session/sendmail";
script_name(english:name["english"]);

desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!

See http://www.toppoint.de/~hscholz/sambar for more information.

Solution : Try to disable this module. There might be a patch in the future.

Risk factor : High";

script_description(english:desc["english"]);

summary["english"] = "Sambar /session/sendmail mailer installed ?";

script_summary(english:summary["english"]);

script_category(ACT_ATTACK);

script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");

family["english"] = "CGI abuses";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);

script_dependencie("find_service.nes");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here

port = get_kb_item("Services/www");
if(!port)port = 80;
if(get_port_state(port))
{
data = http_get(item:"/session/sendmail", port:port);
soc = open_sock_tcp(port);
if(soc)
{
send(socket:soc, data:data);
buf = recv(socket:soc, length:4096);
close(soc);
buf = tolower(buf);
if(" 400 invalid header received " >< buf)exit(0);
if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
if(" 400 " >< buf)security_warning(port);
}
}

Re: Sambar sendmail false positives [ In reply to ]

reinke at e-softinc

Jan 4, 2002, 12:31 PM

Post #3 of 5 (1025 views)

Permalink

Ok...I shall now bury my head in shame :(

Seems I put this test in place a while ago to try to eliminate false
positives. Unfortunately, I never got around to testing it, and did
a lousy job implementing it.

So, all those criticisms apply to myself :( :(

At any rate - for those interested, the script changes DO now work
and HAVE now been tested, and get rid of pesky false positives
on this script.

Sigh. Not a good day.

Thomas

Thomas Reinke wrote:
>
> Ack... the last script is incorrect: for testing had changed the port
> to be port 443. The attached script is the correct one.
>
> Thomas
>
> Thomas Reinke wrote:
> >
> > The Sambar sendmail script has a false positive "elimination" line
> > that checks for SSL enabled servers talking non-SSL.
> >
> > Unfortunately, the false positive elimination doesn't work. The line:
> >
> > if("You're speaking plain HTTP to an SSL-enabled server port" <>
> > buf)exit(0);
> >
> > has a number of problems:
> >
> > - The <> should be ><
> > - The text should all be in lower case, since the script changes
> > the buf to lower case.
> > - The buf never contains this text, because recv_line() was used
> > instead
> > of recv().
> >
> > A modified version of sambar_sendmail.nasl is attached that fixes these
> > problems, and has been tested and no longer generates these false
> > positives.
> >
> > Thomas
> >
> > ------------------------------------------------------------------------
> > #
> > # Copyright 2000 by Hendrik Scholz <hendrik@scholz.net>
> > #
> >
> > if(description)
> > {
> > script_id(10415);
> >
> > name["english"] = "Sambar sendmail /session/sendmail";
> > script_name(english:name["english"]);
> >
> > desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> > You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> > Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
> >
> > See http://www.toppoint.de/~hscholz/sambar for more information.
> >
> > Solution : Try to disable this module. There might be a patch in the future.
> >
> > Risk factor : High";
> >
> > script_description(english:desc["english"]);
> >
> > summary["english"] = "Sambar /session/sendmail mailer installed ?";
> >
> > script_summary(english:summary["english"]);
> >
> > script_category(ACT_ATTACK);
> >
> >
> > script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
> >
> > family["english"] = "CGI abuses";
> > family["francais"] = "Abus de CGI";
> > script_family(english:family["english"], francais:family["francais"]);
> >
> > script_dependencie("find_service.nes");
> > script_require_ports("Services/www", 80);
> > exit(0);
> > }
> >
> > #
> > # The script code starts here
> >
> > port = get_kb_item("Services/www");
> > if(!port)port = 443;
> > if(get_port_state(port))
> > {
> > data = http_get(item:"/session/sendmail", port:port);
> > soc = open_sock_tcp(port);
> > if(soc)
> > {
> > send(socket:soc, data:data);
> > buf = recv(socket:soc, length:4096);
> > close(soc);
> > buf = tolower(buf);
> > if(" 400 invalid header received " >< buf)exit(0);
> > if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
> > if(" 400 " >< buf)security_warning(port);
> > }
> > }
>
> --
> ------------------------------------------------------------
> E-Soft Inc. http://www.e-softinc.com
> Publishers of SecuritySpace http://www.securityspace.com
> Tel: 1-905-331-2260 Fax: 1-905-331-2504
> Tollfree in North America: 1-800-799-4831
>
> ------------------------------------------------------------------------
> #
> # Copyright 2000 by Hendrik Scholz <hendrik@scholz.net>
> #
>
> if(description)
> {
> script_id(10415);
>
> name["english"] = "Sambar sendmail /session/sendmail";
> script_name(english:name["english"]);
>
> desc["english"] = "The Sambar webserver is running. It provides a webinterface for sending emails.
> You may simply pass a POST request to /session/sendmail and by this send mails to anyone you want.
> Due to the fact that Sambar does not check HTTP referers you do not need direct access to the server!
>
> See http://www.toppoint.de/~hscholz/sambar for more information.
>
> Solution : Try to disable this module. There might be a patch in the future.
>
> Risk factor : High";
>
> script_description(english:desc["english"]);
>
> summary["english"] = "Sambar /session/sendmail mailer installed ?";
>
> script_summary(english:summary["english"]);
>
> script_category(ACT_ATTACK);
>
>
> script_copyright(english:"This script is Copyright (C) 2000 Hendrik Scholz");
>
> family["english"] = "CGI abuses";
> family["francais"] = "Abus de CGI";
> script_family(english:family["english"], francais:family["francais"]);
>
> script_dependencie("find_service.nes");
> script_require_ports("Services/www", 80);
> exit(0);
> }
>
> #
> # The script code starts here
>
> port = get_kb_item("Services/www");
> if(!port)port = 80;
> if(get_port_state(port))
> {
> data = http_get(item:"/session/sendmail", port:port);
> soc = open_sock_tcp(port);
> if(soc)
> {
> send(socket:soc, data:data);
> buf = recv(socket:soc, length:4096);
> close(soc);
> buf = tolower(buf);
> if(" 400 invalid header received " >< buf)exit(0);
> if("you're speaking plain http to an ssl-enabled server port" >< buf)exit(0);
> if(" 400 " >< buf)security_warning(port);
> }
> }

--
------------------------------------------------------------
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831

Re: Sambar sendmail false positives [ In reply to ]

arboi at noos

Jan 4, 2002, 12:32 PM

Post #4 of 5 (1029 views)

Permalink

Thomas Reinke <reinke@e-softinc.com> writes:

> > soc = open_sock_tcp(port);

This will open a SSL connection if SSL was detected on this port by
find_service

> > if("you're speaking plain http to an ssl-enabled server port" ><

So I suppose that this will never work.

You'd rather use, as in netscape_crash.nasl:
soc = open_sock_tcp(port, transport:ENCAPS_IP);

Re: Sambar sendmail false positives [ In reply to ]

reinke at e-softinc

Jan 4, 2002, 12:41 PM

Post #5 of 5 (1035 views)

Permalink

Ok...that might be true for the 1.1 stream - we're still on the
1.0 stream and SSL connections aren't supported there. In that
case, the connection opened is non-SSL only, and the test trips
without the appropriate eliminating code.

Thomas

Michel Arboi wrote:
>
> Thomas Reinke <reinke@e-softinc.com> writes:
>
> > > soc = open_sock_tcp(port);
>
> This will open a SSL connection if SSL was detected on this port by
> find_service
>
> > > if("you're speaking plain http to an ssl-enabled server port" ><
>
> So I suppose that this will never work.
>
> You'd rather use, as in netscape_crash.nasl:
> soc = open_sock_tcp(port, transport:ENCAPS_IP);

--
------------------------------------------------------------
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
Tel: 1-905-331-2260 Fax: 1-905-331-2504
Tollfree in North America: 1-800-799-4831