COMMAND

    FirstClass Internetgateway

SYSTEMS AFFECTED

    FirstClass 5.50

PROBLEM

    Mattias  From  found  following.   The  email  gateway included in
    FirstClass 5.50 can be tricked into sending mail appearing to  the
    users of the firstclass system as coming from a local user on  the
    server, including a  priviliged user.   Doing a manual  sending to
    the stmp-server specifying  <username_on_system> as the  origin of
    the email will  do but will  be caught by  the server spamfilters,
    either discarding them  or adding "Spam:"  to the topic  depending
    on  configuration.   The  requierment  for  a  default  configured
    server  not  to  view  incoming  mails  as  spam  seems  to be the
    presence of a @ in the  From: header line.  Using a  bogus address
    including an @  outside of the  <> in the  From: field and  adding
    the shorthand adress form <@>, which is expanded by the server  to
    the  adress  specified  with   MAIL  FROM:  during  earlier   smtp
    transaction  will  be  delivered  and  marked  as  coming from the
    specified  user.   The  expanding  behaviour  is correct iirc, not
    validating the origin (at all) is the problem.

    Example:

        220 mail.skynet.foo FirstClass ESMTP Mail Server v5.50 ready
        MAIL FROM:<Admin>
        250 Admin... Sender ok
        RCPT TO:<user@skynet.foo>
        250 user@skynet.foo... Recipient ok
        DATA
        354 Send your message, end with <CRLF>.<CRLF>
        To: <user@skynet.foo>
        From: evil@socialengineer <@>
        Subject: Gimme you password

        Preferably now!
        .
        250 F1FEEACC Message accepted, transient identifier was 20

    The above message will appear to user as a message from the  local
    admin.   The  ways  to  spot  the  message  is  in  the firstclass
    "History" function which specifies the mail as "Created by  Admin"
    and "Routed  from" an  ip adress,  which normally  does not exist.
    It's also spottable  when the headers,  not shown by  default, are
    viewed  and  that  the  info  for  the  Admin  user  is not opened
    correctly when accessed from that message.  Works on both  Windows
    and MacOS versions of the server.

SOLUTION

    It is  important to  note that  this method  could not  be used to
    extract sensitive information outside of an FC system because  the
    reply never goes  back out to  the internet.   For example, if  an
    internet  user  uses  this  method  to spoof the Administrator and
    requests a password, the reply  would not go back to  the internet
    user, it would go to the real Admin (if it goes anywhere at all).

    Nevertheless, this is  a serious bug  that could be  exploited for
    malicious purposes, or  at the very  least could cause  disruption
    on  a  FirstClass  system.   Authors  have  fixed this in the next
    release of FirstClass Internet Services.