Ryan_34424
Apr 26, 2018Altostratus
LTM :: SMTPS Command Injection
It seems the SMTPS profile on the LTM allows command injection. It is detected as:
SMTP Service STARTTLS Plaintext Command Injection (52611) :: The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.
To test, we modified the standard python smtplib library to send a malicious version of the command by appending the HELP command after STARTTLS.
Packet capture shows execution of the command:
What have folks done to get around this outside of writing an iRule? This is what I came up with... which SEEMS to work... but I'm by no means an expert.
when CLIENT_DATA {
if { [string tolower [TCP::payload 10]] starts_with "starttls" } {
TCP::payload replace 0 [TCP::payload length] "STARTTLS\r\n"
}
TCP::release
TCP::collect
}
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
TCP::release
clientside { TCP::collect }
}