MDaemon 的某個漏洞

MarchFun · 發表於 2005-11-9 22:00:37

馬上註冊，結交更多好友，享用更多功能，讓你輕鬆瀏覽論壇。

你需要登入才可以下載或檢視，沒有帳號？我要註冊

x

最近發現 MDaemon 有個漏洞...只要在 SMTP 階段查詢 DNS 時，如果對方可以故意造成 DNS 查詢的 technical problems (技術問題)，則還是會被攻破。

以下為一個範例，第一段被判斷為 domain name unknown（網域不明）所以不給過；不過接著變成 technical problems (技術問題) 時，就過了？！很奇怪！

Wed 2005-11-09 00:14:36: ----------
Wed 2005-11-09 00:14:45: Session 1208; child 1; thread 732
Wed 2005-11-09 00:14:45: Accepting SMTP connection from [220.131.225.152 : 2850]
Wed 2005-11-09 00:14:45: Performing PTR lookup (152.225.131.220.IN-ADDR.ARPA)
Wed 2005-11-09 00:14:45: *　D=152.225.131.220.IN-ADDR.ARPA TTL=(1370) PTR=[220-131-225-152.hinet-ip.hinet.net]
Wed 2005-11-09 00:14:45: *　Gathering A records...
Wed 2005-11-09 00:14:45: *　D=220-131-225-152.hinet-ip.hinet.net TTL=(1250) A=[220.131.225.152]
Wed 2005-11-09 00:14:45: ---- End PTR results
Wed 2005-11-09 00:14:45: --> 220 localsoft.com.tw ESMTP MDaemon 8.1.3; Wed, 09 Nov 2005 00:14:45 +0800
Wed 2005-11-09 00:14:45: <-- HELO ts-d008b9fc7dfa
Wed 2005-11-09 00:14:45: Performing IP lookup (ts-d008b9fc7dfa)
Wed 2005-11-09 00:14:45: *　Error: Name server reports domain name unknown
Wed 2005-11-09 00:14:45: ---- End IP lookup results
Wed 2005-11-09 00:14:45: --> 451 <ts-d008b9fc7dfa> is invalid or DNS says does not exist
Wed 2005-11-09 00:14:45: SMTP session terminated (Bytes in/out: 22/136)
Wed 2005-11-09 00:14:45: ----------
Wed 2005-11-09 00:15:30: Session 1209; child 1; thread 772
Wed 2005-11-09 00:14:57: Accepting SMTP connection from [220.131.225.152 : 2873]
Wed 2005-11-09 00:14:57: Performing PTR lookup (152.225.131.220.IN-ADDR.ARPA)
Wed 2005-11-09 00:14:57: *　D=152.225.131.220.IN-ADDR.ARPA TTL=(1370) PTR=[220-131-225-152.hinet-ip.hinet.net]
Wed 2005-11-09 00:14:57: *　Gathering A records...
Wed 2005-11-09 00:14:57: *　D=220-131-225-152.hinet-ip.hinet.net TTL=(1249) A=[220.131.225.152]
Wed 2005-11-09 00:14:57: ---- End PTR results
Wed 2005-11-09 00:14:57: --> 220 localsoft.com.tw ESMTP MDaemon 8.1.3; Wed, 09 Nov 2005 00:14:57 +0800
Wed 2005-11-09 00:14:58: <-- HELO ts-d008b9fc7dfa
Wed 2005-11-09 00:14:58: Performing IP lookup (ts-d008b9fc7dfa)
Wed 2005-11-09 00:15:08: *　Error: 10 second wait for DNS response exceeded
Wed 2005-11-09 00:15:08: *　Error: The name server reports that it is having technical problems
Wed 2005-11-09 00:15:08: ---- End IP lookup results
Wed 2005-11-09 00:15:08: --> 250 localsoft.com.tw Hello 220-131-225-152.hinet-ip.hinet.net, pleased to meet you
Wed 2005-11-09 00:15:08: <-- MAIL FROM:<[email protected]>
Wed 2005-11-09 00:15:08: Performing IP lookup (venus.seed.net.tw)
Wed 2005-11-09 00:15:18: *　Error: 10 second wait for DNS response exceeded
Wed 2005-11-09 00:15:19: *　D=venus.seed.net.tw TTL=(1390) A=[139.175.54.240]
Wed 2005-11-09 00:15:29: *　Error: 10 second wait for DNS response exceeded
Wed 2005-11-09 00:15:29: ---- End IP lookup results
Wed 2005-11-09 00:15:29: --> 250 <[email protected]>, Sender ok
Wed 2005-11-09 00:15:29: <-- RCPT TO:<以下省略>
Wed 2005-11-09 00:15:30: ----------

隨風浮雲 · 發表於 2005-11-10 09:33:35

DNS　的查詢是由本地主機向設定的DNS主機查詢，會發生錯誤的原因不太可能是由郵件發送主機所影響!

就算是做出假封包傳過來，也應該是先攔截查詢封包，再回應一個錯誤封包訊息給查詢主機，所以被植入木馬或是其它方式攔截可能性比較大。

如果再脫離被攔截封包的思考，那就是查詢某個主機名就會造成技術上的錯誤，或是HACKER申請了某個主機名，當你查詢到這個主機名，它就會回應某個訊息，然後造成技術上錯誤。

不過這只是通過查詢主機名，不知道跟信件內容的檢查(包含ANTIVIRUS和垃圾郵件)有沒有關係，如果是完全可以跳過，直接投入到使用者郵件資料夾，那還真是一個很大的漏洞。

		自動登入	取回密碼
密碼			我要註冊