|
Message-Id: <201005231439.21960.thijs@debian.org>
Date: Sun, 23 May 2010 14:39:16 +0200
From: Thijs Kinkhorst <thijs@...ian.org>
To: oss-security@...ts.openwall.com
Cc: Max Olsterd <max.olsterd@...il.com>,
security-2010@...irrelmail.org
Subject: Re: CVE Request for Horde and Squirrelmail
On sneon 22 Maaie 2010, Max Olsterd wrote:
> But someone gave me an explanation, with a live hacking demo, and it was
> awesome : this guy has been able to scan the LAN of an international ISP
> whereas there was a firewall blocking incoming packets to the LAN (DMZ +
> internal LAN) !!!
>
> How ?
>
> He had an account on the squirrelmail (ISP) and he has been able to create
> an exploit for the advisory we are talking about here. Thanks to that, he
> asked squirrelmail to scan some ranges of IP addresses that were private
> (10.x.x.x) and unreachable from the outside of this ISP (NAT). Then he
> found multiple interesting hosts with unpatched services, which gave him
> an idea of how secure it was for real when you are inside. He also used
> the DNS scanning attack that was described in the slides of HITB, by
> bruteforcing names, and he found other IP addresses (but a firewall
> blocked the scan so deep on the LAN).
That this is possible is inherent in providing the ability to your users to
configure any POP3 server they want to retreive email. The whole idea of the
POP3 fetch mail plugin is to allow to connect to other servers. And hence if
you want to provide this functionality there will always be the possibility
that someone connects to a local machine, and there's no real solution to that
given the premise. It is a choice to not patch internal services but any
adminsitrator has the responsibility to determine what 'internal' means and
who will have access to this network.
And note that still the only thing you, as an authenticated user, can do is
connect to those ports within a POP3 context.
The only new idea that this research adds, is that they've scripted the
changing of the pop3 server info so they can increase the amount of
hosts/ports to connect to in a given timeframe. But even if this wouldn't be
scriptable, it would still be possible for the user to specify POP3 servers by
hand (as that is the goal of the plugin) and hence any network setup that
can't deal with this but does enable the plugin, is broken by design.
It's only a matter of scaling that they add. Anything that is 'vulnerable'
with this, is already vulnerable if this scripting wouldn't be possible.
cheers,
Thijs
Download attachment "signature.asc " of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.