Sendmail mail from/rcpt to Pipe Arbitrary Command Execution

critical Nessus Plugin ID 10261

Synopsis

The remote SMTP server is vulnerable to authentication bypass.

Description

The remote SMTP server did not complain when issued the command :
MAIL FROM: root@this_host RCPT TO: |testing

This probably means that it is possible to send mail directly to programs, which is a serious threat, since this allows anyone to execute arbitrary commands on this host.

*** This security hole might be a false positive, since
*** some MTAs will not complain to this test, but instead
*** just drop the message silently.

Solution

This plugin tests for a generic condition.
It may be remedied by upgrading, reconfiguring, or changing your SMTP Server (MTA).

See Also

http://securitydigest.org/phage/archive/324

http://securitydigest.org/unix/archive/039

Plugin Details

Severity: Critical

ID: 10261

File Name: smtp_program.nasl

Version: 1.34

Type: remote

Published: 8/22/1999

Updated: 8/13/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:eric_allman:sendmail

Vulnerability Publication Date: 12/4/1988

Reference Information

CVE: CVE-1999-0163