0

I am a newbie to python programming. I am writing small smtp client for testing the POSTFIX smtp server implementation. I have used python smtplib for the same. Here is the code snippet. 

import smtplib
def smtpTest(serverStr, mode=1):
servername = serverStr
  server = smtplib.SMTP(servername, 25)
try:
  server.set_debuglevel(True)
  server.ehlo()
  # If we can encrypt this session, do it
  if server.has_extn('STARTTLS'):
    server.docmd('STARTTLS\r\n RSET')

finally:
  print "Closing the smtp session ...."
  server.quit()
if __name__ == "__main__":
    print "Closing the session now ..."
smtpTest(<ip address of smtp server>, 1)`

I am using the docmd() which should for the smtp server response. I am trying to check the smtp server behavior for the command 'STARTTLS\r\n RSET'.

Response details:- My expectation is that the smtp server, if vulnerable, should give 2 response codes in sequence. One for the STARTTLS and other for RSET commands. My observation is that the server gets ready with tls tunnel and then the code enters in the finally block to close the session. So my conclusion is that the server is not vulnerable to STARTTLS.

My query:- If I reverse the command string as 'RSET\r\n STARTTLS', I get the 2 response codes. With the reverse string of resetting and then starting tls, the quit function call ends the session and the command display for starttls appears after the client sends the quit command. I wanted to synchronize the call of quit only after I get the complete response from the server. In this case, the first being for RSET and then for STARTTLS. Any pointers will be of great help.

Sanjay Phanshikar
  • 143
  • 1
  • 11
  • I think you should send only one command in a `.docmd` call. – VPfB Aug 15 '17 at 14:58
  • Could you please explain what do you mean by 'vulnerable to STARTTLS`? – VPfB Aug 15 '17 at 14:59
  • The smtp client which i am trying to write is to test for STARTTLS vulnerability for the POSTFIX smtp server implementation. So with the RSET command following the STARTLS, if i get 2 response codes [ first for STARTTLS and second for RSET] indicates that the server is honoring both the commands and that too in plain text mode. – Sanjay Phanshikar Aug 16 '17 at 03:47
  • I agree that only single command is to be used in the docmd call. As such, there are command specific functions in smtplib that i tried using. For ex:- smtplib.SMTP.ehlo() etc. – Sanjay Phanshikar Aug 16 '17 at 03:48
  • In short, the smtp test will test the mentioned gap in smtp server implementation. Hence i am trying to send 2 commands in one go. – Sanjay Phanshikar Aug 16 '17 at 03:57
  • I have found the vulnerability. I'd like to suggest that you append e.g. this link it to your question in order to get better responses: https://www.kb.cert.org/vuls/id/555316 – VPfB Aug 16 '17 at 06:24
  • @VPfB .. I am not clear on what I need to do here. Can you please be more elaborate ? I checked the link you provided. I have read similar contents from the author who has discovered the vulnerability. Is there anything wrong in the python script I have written ? Pointers will be of great help. – Sanjay Phanshikar Aug 17 '17 at 17:43
  • Me personally cannot answer your question. My opinion is that smtplib is not the right tool. It took me some time to figure out what you are trying to achieve. There was a SMTP command injection vulnerability (dated 2011) and you are writing a test for it. I think the link could help other users who will read the question to understand this context. All I was proposing was to add it to the question. – VPfB Aug 17 '17 at 19:40

0 Answers0