Date: Sun, 23 May 2010 14:39:16 +0200 From: Thijs Kinkhorst <thijs@...ian.org> To: oss-security@...ts.openwall.com Cc: Max Olsterd <max.olsterd@...il.com>, security-2010@...irrelmail.org Subject: Re: CVE Request for Horde and Squirrelmail On sneon 22 Maaie 2010, Max Olsterd wrote: > But someone gave me an explanation, with a live hacking demo, and it was > awesome : this guy has been able to scan the LAN of an international ISP > whereas there was a firewall blocking incoming packets to the LAN (DMZ + > internal LAN) !!! > > How ? > > He had an account on the squirrelmail (ISP) and he has been able to create > an exploit for the advisory we are talking about here. Thanks to that, he > asked squirrelmail to scan some ranges of IP addresses that were private > (10.x.x.x) and unreachable from the outside of this ISP (NAT). Then he > found multiple interesting hosts with unpatched services, which gave him > an idea of how secure it was for real when you are inside. He also used > the DNS scanning attack that was described in the slides of HITB, by > bruteforcing names, and he found other IP addresses (but a firewall > blocked the scan so deep on the LAN). That this is possible is inherent in providing the ability to your users to configure any POP3 server they want to retreive email. The whole idea of the POP3 fetch mail plugin is to allow to connect to other servers. And hence if you want to provide this functionality there will always be the possibility that someone connects to a local machine, and there's no real solution to that given the premise. It is a choice to not patch internal services but any adminsitrator has the responsibility to determine what 'internal' means and who will have access to this network. And note that still the only thing you, as an authenticated user, can do is connect to those ports within a POP3 context. The only new idea that this research adds, is that they've scripted the changing of the pop3 server info so they can increase the amount of hosts/ports to connect to in a given timeframe. But even if this wouldn't be scriptable, it would still be possible for the user to specify POP3 servers by hand (as that is the goal of the plugin) and hence any network setup that can't deal with this but does enable the plugin, is broken by design. It's only a matter of scaling that they add. Anything that is 'vulnerable' with this, is already vulnerable if this scripting wouldn't be possible. cheers, Thijs Download attachment "signature.asc " of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.