Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

LTM :: SMTPS Command Injection

It seems the SMTPS profile on the LTM allows command injection. It is detected as:

SMTP Service STARTTLS Plaintext Command Injection (52611) :: The remote SMTP service contains a software flaw in its STARTTLS implementation that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase that will be executed during the ciphertext protocol phase. Successful exploitation could allow an attacker to steal a victim's email or associated SASL (Simple Authentication and Security Layer) credentials.

To test, we modified the standard python smtplib library to send a malicious version of the command by appending the HELP command after STARTTLS.

Image Text

Packet capture shows execution of the command:

Image Text

What have folks done to get around this outside of writing an iRule? This is what I came up with... which SEEMS to work... but I'm by no means an expert.

when CLIENT_DATA {
    if { [string tolower [TCP::payload 10]] starts_with "starttls" } {
        TCP::payload replace 0 [TCP::payload length] "STARTTLS\r\n"
    }
    TCP::release
    TCP::collect
}

when SERVER_CONNECTED {
    TCP::collect
}

when SERVER_DATA {
    TCP::release
    clientside { TCP::collect }
}
0
Rate this Question

Answers to this Question