Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 14:39:16 +0200
From: Thijs Kinkhorst <>
Cc: Max Olsterd <>,
Subject: Re: CVE Request for Horde and Squirrelmail

On sneon 22 Maaie 2010, Max Olsterd wrote:
> But someone gave me an explanation, with a live hacking demo, and it was
> awesome : this guy has been able to scan the LAN of an international ISP
> whereas there was a firewall blocking incoming packets to the LAN (DMZ +
> internal LAN) !!!
> How ?
> He had an account on the squirrelmail (ISP) and he has been able to create
> an exploit for the advisory we are talking about here. Thanks to that, he
> asked squirrelmail to scan some ranges of IP addresses that were private
> (10.x.x.x) and unreachable from the outside of this ISP (NAT). Then he
> found multiple interesting hosts with unpatched services, which gave him
> an idea of how secure it was for real when you are inside. He also used
> the DNS scanning attack that was described in the slides of HITB, by
> bruteforcing names, and he found other IP addresses (but a firewall
> blocked the scan so deep on the LAN).

That this is possible is inherent in providing the ability to your users to 
configure any POP3 server they want to retreive email. The whole idea of the 
POP3 fetch mail plugin is to allow to connect to other servers. And hence if 
you want to provide this functionality there will always be the possibility 
that someone connects to a local machine, and there's no real solution to that 
given the premise. It is a choice to not patch internal services but any 
adminsitrator has the responsibility to determine what 'internal' means and 
who will have access to this network.

And note that still the only thing you, as an authenticated user, can do is 
connect to those ports within a POP3 context.

The only new idea that this research adds, is that they've scripted the 
changing of the pop3 server info so they can increase the amount of 
hosts/ports to connect to in a given timeframe. But even if this wouldn't be 
scriptable, it would still be possible for the user to specify POP3 servers by 
hand (as that is the goal of the plugin) and hence any network setup that 
can't deal with this but does enable the plugin, is broken by design.

It's only a matter of scaling that they add. Anything that is 'vulnerable' 
with this, is already vulnerable if this scripting wouldn't be possible.


Download attachment "signature.asc " of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.