OpenSMTPD 6.5.0 crashes during Nessus scan

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSMTPD 6.5.0 crashes during Nessus scan

jboyle
>Synopsis: OpenSMTPD 6.5.0 smtpd crashes during Nessus vulnerability scan
>Category: system
>Environment:
        System      : OpenBSD 6.5
        Details     : OpenBSD 6.5 (GENERIC.MP) #2: Tue Jul 23 23:38:56 CEST 2019
                         [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
        Running a Nessus host scan against smtpd causes smtpd to terminate.  The last messages in maillog are:
        "pony express: smtp_reply: line too long" and "smtpd: process pony socket closed".  At this point all
        of the smtpd daemons, parent and children, are stopped.

        Configuration and logs below.  
>How-To-Repeat:
        Start smtpd.  Run Nessus scan against the host.
>Fix:
        Restarting the daemon is the only work around I know of.



configuration:
osmtp# grep -v '^\s*#' antispoof | sed '/^\s*$/d'
@quotient-inc.com
@quotientinc.com
@myquotient.net
@quotient-inc.local
osmtp# grep -v '^\s*#' relayers | sed '/^\s*$/d'  
127.0.0.1
172.16.24.0/22
192.168.255.1
10.3.1.0/24
osmtp# grep -v '^\s*#' smtpd.conf | sed '/^\s*$/d'
table aliases file:/etc/mail/aliases
table antispoof file:/etc/mail/antispoof
table relay-ok file:/etc/mail/relayers
listen on lo0
listen on vio0
listen on vio1
action "local" mbox alias <aliases>
action "relay" relay
match for local action "local"
match !from src <relay-ok> mail-from <antispoof> for any reject
match for any action "relay"
match for any from src <relay-ok> action "relay"

maillog:
Aug  1 12:33:21 osmtp smtpd[44343]: info: OpenSMTPD 6.5.0 starting
Aug  1 12:51:15 osmtp smtpd[62911]: 1153f554c5387b8f smtp connected address=172.16.26.203 host=<unknown>
Aug  1 12:51:35 osmtp smtpd[62911]: 1153f554c5387b8f smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:01:55 osmtp smtpd[62911]: 1153f55508af2b16 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:03 osmtp smtpd[62911]: 1153f5560d47732d smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:10 osmtp smtpd[62911]: 1153f5560d47732d smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:02:23 osmtp smtpd[62911]: 1153f55508af2b16 smtp disconnected reason=disconnect
Aug  1 13:02:37 osmtp smtpd[62911]: 1153f5578d4916fe smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:37 osmtp smtpd[62911]: 1153f5578d4916fe smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:02:38 osmtp smtpd[62911]: 1153f558f5b78bf8 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:41 osmtp smtpd[62911]: 1153f5591af0ffca smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:41 osmtp smtpd[62911]: 1153f558f5b78bf8 smtp failed-command command="STARTTLS" result="503 5.5.1 Invalid command: Command not supported"
Aug  1 13:02:45 osmtp smtpd[62911]: 1153f55a8dbf9dca smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:45 osmtp smtpd[62911]: 1153f558f5b78bf8 smtp disconnected reason=quit
Aug  1 13:02:52 osmtp smtpd[62911]: 1153f55b0e45166a smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:52 osmtp smtpd[62911]: 1153f5591af0ffca smtp failed-command command="RCPT TO: root+:"|sleep 5 #"" result="501 5.1.3: Recipient address syntax error"
Aug  1 13:02:52 osmtp smtpd[62911]: 1153f55a8dbf9dca smtp failed-command command="EXPN root" result="500 5.5.1 Invalid command: Command unrecognized"
Aug  1 13:02:53 osmtp smtpd[62911]: 1153f5591af0ffca smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:02:56 osmtp smtpd[62911]: 1153f55a8dbf9dca smtp failed-command command="VRFY root" result="500 5.5.1 Invalid command: Command unrecognized"
Aug  1 13:02:56 osmtp smtpd[62911]: 1153f55c18962890 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:02:57 osmtp smtpd[62911]: 1153f55c18962890 smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:02:57 osmtp smtpd[62911]: 1153f55a8dbf9dca smtp disconnected reason=quit
Aug  1 13:03:01 osmtp smtpd[62911]: 1153f55df6daafb3 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:02 osmtp smtpd[62911]: 1153f55e3677d6e0 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:02 osmtp smtpd[62911]: 1153f55b0e45166a smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:03 osmtp smtpd[62911]: 1153f55df6daafb3 smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:03 osmtp smtpd[62911]: 1153f55f605ad4ff smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f56020d0847a smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f55f605ad4ff smtp failed-command command="STARTTLS" result="503 5.5.1 Invalid command: Command not allowed at this point."
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f55e3677d6e0 smtp failed-command command="AUTH GSSAPI" result="503 5.5.1 Invalid command: Command not supported"
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f55f605ad4ff smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f56020d0847a smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:11 osmtp smtpd[62911]: 1153f55e3677d6e0 smtp disconnected reason=disconnect
Aug  1 13:03:17 osmtp smtpd[62911]: 1153f561cb7f4dcc smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:17 osmtp smtpd[62911]: 1153f562525b68da smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:03:17 osmtp smtpd[62911]: 1153f561cb7f4dcc smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:17 osmtp smtpd[62911]: 1153f562525b68da smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:03:59 osmtp smtpd[62911]: 1153f5633e3ae757 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:04:00 osmtp smtpd[62911]: 1153f564575bfbe6 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:04:00 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:04:05 osmtp smtpd[62911]: 1153f564575bfbe6 smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:04:05 osmtp smtpd[62911]: 1153f56629583bb2 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:04:05 osmtp smtpd[62911]: 1153f56629583bb2 smtp disconnected reason="io-error: Connection reset by peer"
Aug  1 13:04:13 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp failed-command command="MAIL FROM: [hidden email]" result="553 5.1.0: Sender address syntax error"
Aug  1 13:04:29 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp failed-command command="RCPT TO: Administrator" result="503 5.5.1 Invalid command: Command not allowed at this point."
Aug  1 13:04:32 osmtp smtpd[62911]: 1153f5633e3ae757 smtp disconnected reason=quit
Aug  1 13:04:32 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp failed-command command="BDAT 4" result="500 5.5.1 Invalid command: Command unrecognized"
Aug  1 13:04:37 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp failed-command command="b00mAUTH LOGIN" result="500 5.5.1 Invalid command: Command unrecognized"
Aug  1 13:04:42 osmtp smtpd[62911]: 1153f56576e7c7a4 smtp disconnected reason=quit
Aug  1 13:04:57 osmtp smtpd[62911]: 1153f567f7d5b339 smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:04:57 osmtp smtpd[62911]: 1153f568c37c65df smtp connected address=172.16.26.203 host=<unknown>
Aug  1 13:05:02 osmtp smtpd[62911]: pony express: smtp_reply: line too long
Aug  1 13:05:02 osmtp smtpd[25997]: smtpd: process pony socket closed


dmesg:
OpenBSD 6.5 (GENERIC.MP) #2: Tue Jul 23 23:38:56 CEST 2019
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4278030336 (4079MB)
avail mem = 4138745856 (3947MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5ab0 (11 entries)
bios0: vendor SeaBIOS version "?-20180724_192412-buildhw-07.phx2.fedoraproject.org-1.fc29" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: rev 0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel Xeon Processor (Skylake, IBRS), 2100.40 MHz, 06-55-04
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel Xeon Processor (Skylake, IBRS), 2100.17 MHz, 06-55-04
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,VMX,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,MPX,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,AVX512CD,AVX512BW,AVX512VL,PKU,MD_CLEAR,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES,MELTDOWN
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache
cpu1: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu1: smt 0, core 0, package 1
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
cpu0: using VERW MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
atapiscsi0 at pciide0 channel 0 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> ATAPI 5/cdrom removable
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Red Hat QXL Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:00:b5:b0:5a
virtio0: msix shared
auich0 at pci0 dev 4 function 0 "Intel 82801AA AC97" rev 0x01: apic 0 int 11, ICH
ac97: codec id 0x83847600 (SigmaTel STAC9700)
audio0 at auich0
uhci0 at pci0 dev 5 function 0 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci1 at pci0 dev 5 function 1 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci2 at pci0 dev 5 function 2 "Intel 82801I USB" rev 0x03: apic 0 int 11
ehci0 at pci0 dev 5 function 7 "Intel 82801I USB" rev 0x03: apic 0 int 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
virtio1 at pci0 dev 6 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus2 at vioblk0: 2 targets
sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed
sd0: 81920MB, 512 bytes/sector, 167772160 sectors
virtio1: msix shared
virtio2 at pci0 dev 7 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 11
virtio3 at pci0 dev 8 function 0 "Qumranet Virtio Network" rev 0x00
vio1 at virtio3: address 52:54:00:33:e9:82
virtio3: msix shared
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
uhidev0 at uhub0 port 3 configuration 1 interface 0 "QEMU QEMU USB Keyboard" rev 2.00/0.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (34cc264340b59846.a) swap on sd0b dump on sd0b
fd0 at fdc0 drive 1: density unknown

usbdevs:
Controller /dev/usb0:
addr 01: 8086:0000 Intel, EHCI root hub
         high speed, self powered, config 1, rev 1.00
         driver: uhub0
addr 02: 0627:0001 QEMU, QEMU USB Keyboard
         high speed, power 100 mA, config 1, rev 0.00, iSerial 42
         driver: uhidev0
Controller /dev/usb1:
addr 01: 8086:0000 Intel, UHCI root hub
         full speed, self powered, config 1, rev 1.00
         driver: uhub1
Controller /dev/usb2:
addr 01: 8086:0000 Intel, UHCI root hub
         full speed, self powered, config 1, rev 1.00
         driver: uhub2
Controller /dev/usb3:
addr 01: 8086:0000 Intel, UHCI root hub
         full speed, self powered, config 1, rev 1.00
         driver: uhub3

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD 6.5.0 crashes during Nessus scan

Sebastian Benoit-3
[hidden email]([hidden email]) on 2019.08.01 14:41:16 -0400:

> >Synopsis: OpenSMTPD 6.5.0 smtpd crashes during Nessus vulnerability scan
> >Category: system
> >Environment:
> System      : OpenBSD 6.5
> Details     : OpenBSD 6.5 (GENERIC.MP) #2: Tue Jul 23 23:38:56 CEST 2019
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine     : amd64
> >Description:
> Running a Nessus host scan against smtpd causes smtpd to terminate.  The last messages in maillog are:
> "pony express: smtp_reply: line too long" and "smtpd: process pony socket closed".  At this point all
> of the smtpd daemons, parent and children, are stopped.
>
> Configuration and logs below.  
> >How-To-Repeat:
>         Start smtpd.  Run Nessus scan against the host.
> >Fix:
> Restarting the daemon is the only work around I know of.

Can you include the log output from Nessus, the last one from that scan?

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD 6.5.0 crashes during Nessus scan

Gilles Chehade-7
In reply to this post by jboyle
On Thu, Aug 01, 2019 at 02:41:16PM -0400, [hidden email] wrote:

> >Synopsis: OpenSMTPD 6.5.0 smtpd crashes during Nessus vulnerability scan
> >Category: system
> >Environment:
> System      : OpenBSD 6.5
> Details     : OpenBSD 6.5 (GENERIC.MP) #2: Tue Jul 23 23:38:56 CEST 2019
> [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
> Architecture: OpenBSD.amd64
> Machine     : amd64
> >Description:
> Running a Nessus host scan against smtpd causes smtpd to terminate.  The last messages in maillog are:
> "pony express: smtp_reply: line too long" and "smtpd: process pony socket closed".  At this point all
> of the smtpd daemons, parent and children, are stopped.
>
> Configuration and logs below.  
> >How-To-Repeat:
>         Start smtpd.  Run Nessus scan against the host.
> >Fix:
> Restarting the daemon is the only work around I know of.
>

I'm on it, will have a fix very shortly.

--
Gilles Chehade       @poolpOrg

https://www.poolp.org            patreon: https://www.patreon.com/gilles

Reply | Threaded
Open this post in threaded view
|

Re: OpenSMTPD 6.5.0 crashes during Nessus scan

Gilles Chehade-7
In reply to this post by Sebastian Benoit-3
On Thu, Aug 01, 2019 at 10:02:21PM +0200, Sebastian Benoit wrote:

> [hidden email]([hidden email]) on 2019.08.01 14:41:16 -0400:
> > >Synopsis: OpenSMTPD 6.5.0 smtpd crashes during Nessus vulnerability scan
> > >Category: system
> > >Environment:
> > System      : OpenBSD 6.5
> > Details     : OpenBSD 6.5 (GENERIC.MP) #2: Tue Jul 23 23:38:56 CEST 2019
> > [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > Architecture: OpenBSD.amd64
> > Machine     : amd64
> > >Description:
> > Running a Nessus host scan against smtpd causes smtpd to terminate.  The last messages in maillog are:
> > "pony express: smtp_reply: line too long" and "smtpd: process pony socket closed".  At this point all
> > of the smtpd daemons, parent and children, are stopped.
> >
> > Configuration and logs below.  
> > >How-To-Repeat:
> >         Start smtpd.  Run Nessus scan against the host.
> > >Fix:
> > Restarting the daemon is the only work around I know of.
>
> Can you include the log output from Nessus, the last one from that scan?
>

actually I spotted the issue right away from his log, preparing the fix
and testing it before I prepare the errata

--
Gilles Chehade       @poolpOrg

https://www.poolp.org            patreon: https://www.patreon.com/gilles