10.2 SMTP

Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.

10.2.1 SMTP Service Fingerprinting

Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain the SMTP service in use:[1]

[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.


smtpmap

http://freshmeat.net/projects/smtpmap


smtpscan

http://www.greyhats.org/outils/smtpscan/smtpscan-0.2.tar.gz

Both tools are launched from Unix-like platforms. Example 10-1 shows the smtpmap command in use, identifying the mail service on mail.trustmatta.com as Lotus Domino 5.0.9a.

Example 10-1. The smtpmap tool in use
# smtpmap mail.trustmatta.com

smtp-map 0.8



Scanning mail.trustmatta.com ( [ 192.168.0.1 ] mail )

100 % done scan



According to configuration the server matches the following :

  Version                                       Probability

Lotus Domino Server 5.0.9a                      100 %

Microsoft MAIL Service, Version: 5.5.1877.197.1 90.2412 %

Microsoft MAIL Service, Version: 5.0.2195.2966  87.6661 %



According to RFC the server matches the following :

  Version                                       Probability

Lotus Domino Server 5.0.9a                      100 %

AnalogX Proxy 4.10                              85.4869 %

Sendmail 8.10.1                                 76.1912 %



Overall Fingerprinting the server matches the following :

  Version                                       Probability

Lotus Domino Server 5.0.9a                      100 %

Exim 4.04                                       67.7031 %

Exim 4.10 (without auth)                        66.7393 %

The smtpscan utility analyzes slightly different aspects of the SMTP service, predicting that the same SMTP service is Lotus Domino 5.0.8, as shown in Example 10-2.

Example 10-2. The smtpscan tool in use
# smtpscan mail.trustmatta.com

smtpscan version 0.1



  Scanning mail.trustmatta.com (192.168.0.1) port 25

  15 tests available

  77 fingerprints in the database



...............



Result --

250:501:501:250:501:250:250:214:252:252:502:250:250:250:250

SMTP server corresponding :

  - Lotus Domino Release 5.0.8

Most of the time an accurate SMTP service banner is presented, so deep analysis isn't required. Example 10-3 shows that the TrustMatta mail server is running Lotus Domino Version 6 beta.

Example 10-3. The SMTP service banner for mail.trustmatta.com is revealed
# telnet mail.trustmatta.com 25

Trying 192.168.0.1...

Connected to mail.trustmatta.com.

Escape character is '^]'.

220 mail.trustmatta.com ESMTP Service (Lotus Domino Build V65_M2)

ready at Tue, 30 Sep 2003 16:34:33 +0100

10.2.2 Sendmail

Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD, and others. Sendmail is particularly vulnerable to information leak attacks in which local account usernames can be extracted, and process-manipulation attacks in which Sendmail functions such as prescan( ) are abused to execute arbitrary code.

10.2.2.1 Sendmail information leak exposures

If the Sendmail banner is obfuscated or modified, the true version of Sendmail can usually be ascertained by issuing a HELP command, as shown in Example 10-4; in this case it reveals that the server is running SMI Sendmail 8.9.3.

Example 10-4. Obtaining the exact version of Sendmail using HELP
# telnet mx4.sun.com 25

Trying 192.18.42.14...

Connected to nwkea-mail-2.sun.com.

Escape character is '^]'.

220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003

02:25:20 -0800 (PST)

HELO world

250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20]

(may be forged), pleased to meet you

HELP

214-This is Sendmail version 8.9.3+Sun

214-Commands:

214-    HELO    MAIL    RCPT    DATA    RSET

214-    NOOP    QUIT    HELP    VRFY    EXPN

214-For more info use "HELP <topic>".

214-smtp

214-To report bugs in the implementation contact Sun Microsystems

214-Technical Support.

214-For local information contact postmaster at this site.

214 End of HELP info

Valid local user account details can be enumerated by issuing EXPN, VRFY, or RCPT TO: commands, as discussed in the following examples.

10.2.2.1.1 EXPN

The Sendmail EXPN command is historically used to expand details for a given email address, as shown in Example 10-5.

Example 10-5. Using EXPN to enumerate local users
# telnet 10.0.10.11 25

Trying 10.0.10.11...

Connected to 10.0.10.11.

Escape character is '^]'.

220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003

03:19:58 -0700 (MST)

HELO world

250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to

meet you

EXPN test

550 5.1.1 test... User unknown

EXPN root

250 2.1.5 <chris.mcnab@trustmatta.com>

EXPN sshd

250 2.1.5 sshd privsep <sshd@mail2>

By analyzing the responses to these EXPN commands, I ascertain that the test user account doesn't exist, mail for root is forwarded to chris.mcnab@trustmatta.com, and an sshd user account is allocated for privilege separation (privsep) purposes.

10.2.2.1.2 VRFY

The Sendmail VRFY command is historically used to verify that a given SMTP email address is valid. I can abuse this feature to enumerate valid local user accounts, as detailed in Example 10-6.

Example 10-6. Using VRFY to enumerate local users
# telnet 10.0.10.11 25

Trying 10.0.10.11...

Connected to 10.0.10.11.

Escape character is '^]'.

220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003

03:19:58 -0700 (MST)

HELO world

250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to

meet you

VRFY test

550 5.1.1 test... User unknown

VRFY chris

250 2.1.5 Chris McNab <chris@mail2>
10.2.2.1.3 RCPT TO:

The RCPT TO: technique is extremely effective at enumerating local user accounts on most Sendmail servers. Many security-conscious network administrators ensure that EXPN and VRFY commands don't return user information, but RCPT TO: enumeration takes advantage of a vulnerability deep within Sendmail (one that isn't easily removed). Example 10-7 shows standard HELO and MAIL FROM: commands being issued, along with a plethora of RCPT TO: commands to enumerate local users.

Example 10-7. Using RCPT TO: to enumerate local users
# telnet 10.0.10.11 25

Trying 10.0.10.11...

Connected to 10.0.10.11.

Escape character is '^]'.

220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003

03:19:58 -0700 (MST)

HELO world

250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to

meet you

MAIL FROM:test@test.org

250 2.1.0 test@test.org... Sender ok

RCPT TO:test

550 5.1.1 test... User unknown

RCPT TO:admin

550 5.1.1 admin... User unknown

RCPT TO:chris

250 2.1.5 chris... Recipient ok

Even Sendmail services protected by a firewall SMTP proxy (such as the SMTP fixup functionality within Cisco PIX) are vulnerable to the RCPT TO: attack. Example 10-8 demonstrates how suspicious commands such as EXPN, VRFY, and HELP are filtered, but RCPT TO: enumeration is still possible.

Example 10-8. Enumerating users through a firewall with an SMTP proxy
# telnet 10.0.10.10 25

Trying 10.0.10.10...

Connected to 10.0.10.10.

Escape character is '^]'.

220 ************************0*0*0*0*0*0*******2******2002********0

HELO world

250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to

meet you

EXPN test

500 5.5.1 Command unrecognized: "XXXX test"

VRFY test

500 5.5.1 Command unrecognized: "XXXX test"

HELP

500 5.5.1 Command unrecognized: "XXXX"

MAIL FROM:test@test.org

250 2.1.0 test@test.org... Sender ok

RCPT TO:test

550 5.1.1 test... User unknown

RCPT TO:chris

250 2.1.5 chris... Recipient ok

RCPT TO:nick

250 2.1.5 nick... Recipient ok
10.2.2.2 Automating Sendmail user enumeration

Both RCPT TO: and VRFY user enumeration attacks can be automatically launched from the Brutus brute-force utility available from http://www.hoobie.net/brutus/. The Brutus program uses plug-ins known as Brutus Application Definition (BAD) files, and the following BAD files allow you to perform user enumeration attacks:

http://www.hoobie.net/brutus/SMTP_VRFY_User.bad
http://www.hoobie.net/brutus/SMTP_RCPT_User.bad

mailbrute is another utility that can enumerate valid user accounts through this technique. The tool, which is available from http://examples.oreilly.com/networksa/tools/mailbrute.c, can be compiled and run from any Unix-like environment.

10.2.2.3 Sendmail process manipulation vulnerabilities

Over the years, plenty of remote vulnerabilities have been found in Sendmail. At the time of writing, the MITRE CVE list details the following serious vulnerabilities in Sendmail (not including denial of service or locally exploitable issues), as shown in Table 10-1.

Table 10-1. Remotely exploitable Sendmail vulnerabilities

CVE name

Date

Notes

CVE-1999-0047

01/01/1997

MIME overflow in Sendmail 8.8.3 and 8.8.4.

CVE-1999-0163

Unknown

In older versions of Sendmail, an attacker could use a pipe character to execute root commands.

CVE-1999-0204

23/02/1995

Sendmail 8.6.9 remote ident overflow.

CVE-1999-0206

08/10/1996

MIME overflow in Sendmail 8.8.0 and 8.8.1.

CVE-1999-1506

29/01/1990

Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote bin access.

CVE-2002-1337

03/03/2003

Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the crackaddr( ) function of headers.c.

CVE-2003-0161

29/03/2003

The prescan( ) function in Sendmail before 8.12.9 doesn't properly handle certain conversions from char and int types, causing denial of service or possible execution of arbitrary code.

CVE-2003-0694

17/09/2003

The prescan( ) function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code.

10.2.3 Microsoft Exchange SMTP Service

The SMTP component of Microsoft Exchange is fairly resilient to remote attack, and has been found to be susceptible to only two remotely exploitable buffer overflows that result in arbitrary commands being executed: the EHLO command reverse DNS lookup overflow (CVE-2002-0698) and the XEXCH50 request heap overflow (CVE-2003-0714). The serious remotely exploitable issues that have been publicized over recent years are denial-of-service and mail-relay problems. Table 10-2 lists these remotely exploitable issues as found in the MITRE CVE list at the time of writing.

Table 10-2. Remotely exploitable Exchange SMTP vulnerabilities

CVE name

Date

Notes

CVE-1999-0284

01/01/1998

Exchange 4.0 and 5.0 HELO denial of service bug.

CVE-1999-0682

06/08/1999

Exchange 5.5 allows a remote attacker to relay email using encapsulated SMTP addresses.

CVE-1999-0945

24/07/1998

Exchange 5.0 and 5.5 AUTH and AUTHINFO denial-of-service vulnerability.

CVE-1999-1043

24/07/1998

Exchange 5.0 and 5.5 malformed SMTP data denial-of-service vulnerability.

CVE-2000-1006

31/10/2000

Exchange Server 5.5 malformed MIME header denial-of-service vulnerability.

CVE-2002-0054

27/02/2002

SMTP service in Windows 2000 and Exchange 5.5 allows mail relay through a null AUTH command.

CVE-2002-0055

27/02/2002

SMTP service in Windows 2000, Windows XP Professional, and Exchange 2000 malformed BDAT command denial-of-service vulnerability.

CVE-2002-0698

25/07/2002

Exchange 5.5 allows remote attackers to execute arbitrary code via an EHLO request from a system with a long name as obtained through a reverse DNS lookup, triggering a buffer overflow.

CVE-2003-0714

15/10/2003

Exchange 5.5 and 2000 allows remote attackers to execute arbitrary code via a crafted XEXCH50 request.

10.2.4 SMTP Open Relay Testing

Poorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers (see Section 6.4.6). Example 10-9 shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email.

Example 10-9. Sending email to spam_me@hotmail.com through mail.example.org
# telnet mail.example.org 25

Trying 192.168.0.25...

Connected to 192.168.0.25.

Escape character is '^]'.

220 mail.example.org Microsoft ESMTP MAIL Service, Version:

5.0.2195.5329 ready at  Sun, 5 Oct 2003 18:50:59 +0100

HELO

250 mail.example.org Hello [192.168.0.1]

MAIL FROM: spammer@spam.com

250 2.1.0 spammer@spam.com....Sender OK

RCPT TO: spam_me@hotmail.com

250 2.1.5 spam_me@hotmail.com

DATA

354 Start mail input; end with <CRLF>.<CRLF>



This is a spam test!



.

250 2.6.0 <MAIL7jF0R3rfWX300000001@mail.example.org> Queued mail

for delivery

QUIT

Most systems respond to a RCPT TO: request in the following manner if you attempt to relay unsolicited email through them:

RCPT TO: spam_me@hotmail.com

550 5.7.1 Unable to relay for spam_me@hotmail.com

The following Microsoft KB articles discuss SMTP service configuration relating to open relays and the Exchange SMTP subsystem:

http://support.microsoft.com/?kbid=324958
http://support.microsoft.com/?kbid=310380

10.2.5 SMTP Relay and Anti-Virus Circumvention

Many organizations run inbound SMTP relay servers that can "scrub" email to detect and remove viruses, spam, and other adverse material before forwarding the email to the internal network. These services can be circumvented and bypassed in some cases, as discussed next.

In 2000, I identified a serious flaw in Clearswift MAILsweeper 4.2 that used malformed MIME headers to relay viruses without being quarantined. Since then, other security issues have been identified within MAILsweeper that can relay viruses unchecked. Table 10-3 summarizes the issues identified in MAILsweeper as listed in the ISS X-Force database at http://xforce.iss.net.

Table 10-3. MAILsweeper circumvention issues

ISS XFID

Notes

6801

MAILsweeper 4.2 and prior "file blocker" filter bypass

11495

MAILsweeper 4.3.7 and prior MIME encapsulation filter bypass

11745

MAILsweeper 4.3.6 SP1 and prior "on strip successful" filter bypass

The malformed MIME headers issue was reported to the vendor in February 2001 and is listed in Table 10-3 as the "file blocker" filter bypass. The technique was extremely simple, involving two MIME fields related to email attachments (filename and name).

Example 10-10 shows a legitimate email message and attachment generated by Outlook or any current email client, from john@example.org to mickey@example.org with the text/plain attachment report.txt.

Example 10-10. A standard Outlook generated email message with an attachment
From: John Smith <john@example.org>

To: Mickey Mouse <mickey@example.org> 

Subject: That report

Date: Thurs, 22 Feb 2001 13:38:19 -0000 

MIME-Version: 1.0 

X-Mailer: Internet Mail Service (5.5.23) 

Content-Type: multipart/mixed ; 

boundary="----_=_NextPart_000_02D35B68.BA121FA3" 

Status: RO 



This message is in MIME format. Since your mail reader doesn't 

understand this format, some or all of this message may not be

legible. 



- ------_=_NextPart_000_02D35B68.BA121FA3 

Content-Type: text/plain; charset="iso-8859-1" 



Mickey,



Here's that report you were after.



- ------_=_NextPart_000_02D35B68.BA121FA3

Content-Type: text/plain; 

        name="report.txt"

Content-Disposition: attachment;

        filename="report.txt"



< data for the text document here >



- ------_=_NextPart_000_02D35B68.BA121FA3

The vulnerability exists in the way that the MAILsweeper SMTP relay and Outlook email clients open the report.txt file. The MAILsweeper gateway reads the name value (report.txt) when processing and scanning the file for viruses and malicious code, and the Outlook client reads the filename value (report.txt) when opening and processing the file on the user desktop.

Any type of malicious virus or Trojan horse program can pass through this filter and make its way to the user desktop by modifying the MIME name and filename values. To send a malicious executable, set the name to an unobjectionable value that won't be processed for virus code (report.txt) and the filename value to a type that won't be executed client-side (report.vbs), as shown here:

- ------_=_NextPart_000_02D35B68.BA121FA3 

Content-Type: text/plain; 

        name="report.txt" 

Content-Disposition: attachment; 

        filename="report.vbs"

There are plenty of these issues within filtering packages such as MIMEsweeper. It is therefore important that networks are set up with defense in depth, to prevent known viruses from being pushed through such filters and making their way to the user desktop.

To learn more, check CVE-2002-1121 in the MITRE CVE list at http://cve.mitre.org, which relates to RFC2046 message fragmentation and assembly. The following SMTP gateway products are susceptible to mail-fragmentation issues:

  • GFI MailSecurity for Exchange prior to Version 7.2

  • InterScan VirusWall prior to Version 3.52 build 1494

  • MIMEDefang prior to Version 2.21



     
    ASPTreeView.com
     
    Evaluation has АШµґЖПАМexpired.
    Info...