MDaemon 的某個漏洞
最近發現 MDaemon 有個漏洞...只要在 SMTP 階段查詢 DNS 時,如果對方可以故意造成 DNS 查詢的 technical problems (技術問題),則還是會被攻破。<br><br>以下為一個範例,第一段被判斷為 domain name unknown(網域不明)所以不給過;不過接著變成 technical problems (技術問題) 時,就過了?!很奇怪!<br><br>Wed 2005-11-09 00:14:36: ----------<br>Wed 2005-11-09 00:14:45: Session 1208; child 1; thread 732<br>Wed 2005-11-09 00:14:45: Accepting SMTP connection from <br>Wed 2005-11-09 00:14:45: Performing PTR lookup (152.225.131.220.IN-ADDR.ARPA)<br>Wed 2005-11-09 00:14:45: * D=152.225.131.220.IN-ADDR.ARPA TTL=(1370) PTR=<br>Wed 2005-11-09 00:14:45: * Gathering A records...<br>Wed 2005-11-09 00:14:45: * D=220-131-225-152.hinet-ip.hinet.net TTL=(1250) A=<br>Wed 2005-11-09 00:14:45: ---- End PTR results<br>Wed 2005-11-09 00:14:45: --> 220 localsoft.com.tw ESMTP MDaemon 8.1.3; Wed, 09 Nov 2005 00:14:45 +0800<br>Wed 2005-11-09 00:14:45: <-- HELO ts-d008b9fc7dfa<br>Wed 2005-11-09 00:14:45: Performing IP lookup (ts-d008b9fc7dfa)<br>Wed 2005-11-09 00:14:45: * <span style='color:red'>Error: Name server reports domain name unknown</span><br>Wed 2005-11-09 00:14:45: ---- End IP lookup results<br>Wed 2005-11-09 00:14:45: --> 451 <ts-d008b9fc7dfa> is invalid or DNS says does not exist<br>Wed 2005-11-09 00:14:45: <span style='color:blue'>SMTP session terminated </span>(Bytes in/out: 22/136)<br>Wed 2005-11-09 00:14:45: ----------<br>Wed 2005-11-09 00:15:30: Session 1209; child 1; thread 772<br>Wed 2005-11-09 00:14:57: Accepting SMTP connection from <br>Wed 2005-11-09 00:14:57: Performing PTR lookup (152.225.131.220.IN-ADDR.ARPA)<br>Wed 2005-11-09 00:14:57: * D=152.225.131.220.IN-ADDR.ARPA TTL=(1370) PTR=<br>Wed 2005-11-09 00:14:57: * Gathering A records...<br>Wed 2005-11-09 00:14:57: * D=220-131-225-152.hinet-ip.hinet.net TTL=(1249) A=<br>Wed 2005-11-09 00:14:57: ---- End PTR results<br>Wed 2005-11-09 00:14:57: --> 220 localsoft.com.tw ESMTP MDaemon 8.1.3; Wed, 09 Nov 2005 00:14:57 +0800<br>Wed 2005-11-09 00:14:58: <-- HELO ts-d008b9fc7dfa<br>Wed 2005-11-09 00:14:58: Performing IP lookup (ts-d008b9fc7dfa)<br>Wed 2005-11-09 00:15:08: * Error: 10 second wait for DNS response exceeded <br>Wed 2005-11-09 00:15:08: * <span style='color:red'>Error: The name server reports that it is having technical problems</span><br>Wed 2005-11-09 00:15:08: ---- End IP lookup results<br>Wed 2005-11-09 00:15:08: --> 250 localsoft.com.tw Hello 220-131-225-152.hinet-ip.hinet.net, pleased to meet you<br>Wed 2005-11-09 00:15:08: <-- MAIL FROM:<[email protected]><br>Wed 2005-11-09 00:15:08: Performing IP lookup (venus.seed.net.tw)<br>Wed 2005-11-09 00:15:18: * Error: 10 second wait for DNS response exceeded <br>Wed 2005-11-09 00:15:19: * D=venus.seed.net.tw TTL=(1390) A=<br>Wed 2005-11-09 00:15:29: * Error: 10 second wait for DNS response exceeded <br>Wed 2005-11-09 00:15:29: ---- End IP lookup results<br>Wed 2005-11-09 00:15:29: --> 250 <[email protected]>, Sender ok<br>Wed 2005-11-09 00:15:29: <-- RCPT TO:<以下省略><br>Wed 2005-11-09 00:15:30: ---------- DNS 的查詢是由本地主機向設定的DNS主機查詢,會發生錯誤的原因不太可能是由郵件發送主機所影響!<br><br>就算是做出假封包傳過來,也應該是先攔截查詢封包,再回應一個錯誤封包訊息給查詢主機,所以被植入木馬或是其它方式攔截可能性比較大。<br><br>如果再脫離被攔截封包的思考,那就是查詢某個主機名就會造成技術上的錯誤,或是HACKER申請了某個主機名,當你查詢到這個主機名,它就會回應某個訊息,然後造成技術上錯誤。<br><br>不過這只是通過查詢主機名,不知道跟信件內容的檢查(包含ANTIVIRUS和垃圾郵件)有沒有關係,如果是完全可以跳過,直接投入到使用者郵件資料夾,那還真是一個很大的漏洞。
頁:
[1]