Autor: Warwick Brown Data: Dla: 'exim-dev@exim.org' Temat: [exim-dev] Interesting behaviour
Hi All,
I sent this to the list previously, but before I had confirmed my membership, so please forgive me if you have already seen this....
I'd like to report some weirdness I've experienced in case there is any potential for impact....
In a recent vulnerability scan, I noticed some interesting behaviour as it mistakenly caused my MTAs to incorrectly be marked as open relays....
Say, I am a relay for domain1.com, When you do a RCPT command, as follows:-
RCPT TO: @domain2.com:user@???
Exim returns a 250 response, even when the source IP is not an authorised IP and when domain2.com is not an authoritative domain.
The interesting thing is, that if you do:-
RCPT TO: user@???:user@???
Exim correctly fails the RCPT TO command with a 500 error,
But where the user-part is missing from the address, it appears that the address is silently ignored, and the mail is then processed against address user@??? with no sign of anything untoward ever happening in the logs.
I know sending an email to an address with a null user-part is a bizarre and broken thing to do, but that's what the pen-testing tool did, and it means I have to explain my way out of a perceived vulnerability with a CVSS score of 10 attached to it every time that tool is used by the assessor.
So...Despite all of my efforts to modify my restricted characters acl within my rcpt to acl chain, I was unable to make it reject the mail when the user-part is null, and after some verification, I was able to conclusively prove to my assessor that my MTAs were not open relays and that the MTA sent only the mail for the authorised domain, domain1.com.
Still... I was left somewhat puzzled and a little concerned how part of the input had been silently dropped without any log event, and what the consequence of that would be (e.g. would it be exploitable?).
So I've penned this mail in the hope someone will be equally intrigued suffice to take a look at this.