Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services. 10.2.1 SMTP Service FingerprintingAccurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain the SMTP service in use:[1]
Both tools are launched from Unix-like platforms. Example 10-1 shows the smtpmap command in use, identifying the mail service on mail.trustmatta.com as Lotus Domino 5.0.9a. Example 10-1. The smtpmap tool in use# smtpmap mail.trustmatta.com smtp-map 0.8 Scanning mail.trustmatta.com ( [ 192.168.0.1 ] mail ) 100 % done scan According to configuration the server matches the following : Version Probability Lotus Domino Server 5.0.9a 100 % Microsoft MAIL Service, Version: 5.5.1877.197.1 90.2412 % Microsoft MAIL Service, Version: 5.0.2195.2966 87.6661 % According to RFC the server matches the following : Version Probability Lotus Domino Server 5.0.9a 100 % AnalogX Proxy 4.10 85.4869 % Sendmail 8.10.1 76.1912 % Overall Fingerprinting the server matches the following : Version Probability Lotus Domino Server 5.0.9a 100 % Exim 4.04 67.7031 % Exim 4.10 (without auth) 66.7393 % The smtpscan utility analyzes slightly different aspects of the SMTP service, predicting that the same SMTP service is Lotus Domino 5.0.8, as shown in Example 10-2. Example 10-2. The smtpscan tool in use# smtpscan mail.trustmatta.com smtpscan version 0.1 Scanning mail.trustmatta.com (192.168.0.1) port 25 15 tests available 77 fingerprints in the database ............... Result -- 250:501:501:250:501:250:250:214:252:252:502:250:250:250:250 SMTP server corresponding : - Lotus Domino Release 5.0.8 Most of the time an accurate SMTP service banner is presented, so deep analysis isn't required. Example 10-3 shows that the TrustMatta mail server is running Lotus Domino Version 6 beta. Example 10-3. The SMTP service banner for mail.trustmatta.com is revealed# telnet mail.trustmatta.com 25 Trying 192.168.0.1... Connected to mail.trustmatta.com. Escape character is '^]'. 220 mail.trustmatta.com ESMTP Service (Lotus Domino Build V65_M2) ready at Tue, 30 Sep 2003 16:34:33 +0100 10.2.2 SendmailMost Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD, and others. Sendmail is particularly vulnerable to information leak attacks in which local account usernames can be extracted, and process-manipulation attacks in which Sendmail functions such as prescan( ) are abused to execute arbitrary code. 10.2.2.1 Sendmail information leak exposuresIf the Sendmail banner is obfuscated or modified, the true version of Sendmail can usually be ascertained by issuing a HELP command, as shown in Example 10-4; in this case it reveals that the server is running SMI Sendmail 8.9.3. Example 10-4. Obtaining the exact version of Sendmail using HELP# telnet mx4.sun.com 25 Trying 192.18.42.14... Connected to nwkea-mail-2.sun.com. Escape character is '^]'. 220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003 02:25:20 -0800 (PST) HELO world 250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20] (may be forged), pleased to meet you HELP 214-This is Sendmail version 8.9.3+Sun 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY EXPN 214-For more info use "HELP <topic>". 214-smtp 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information contact postmaster at this site. 214 End of HELP info Valid local user account details can be enumerated by issuing EXPN, VRFY, or RCPT TO: commands, as discussed in the following examples. 10.2.2.1.1 EXPNThe Sendmail EXPN command is historically used to expand details for a given email address, as shown in Example 10-5. Example 10-5. Using EXPN to enumerate local users# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you EXPN test 550 5.1.1 test... User unknown EXPN root 250 2.1.5 <chris.mcnab@trustmatta.com> EXPN sshd 250 2.1.5 sshd privsep <sshd@mail2> By analyzing the responses to these EXPN commands, I ascertain that the test user account doesn't exist, mail for root is forwarded to chris.mcnab@trustmatta.com, and an sshd user account is allocated for privilege separation (privsep) purposes. 10.2.2.1.2 VRFYThe Sendmail VRFY command is historically used to verify that a given SMTP email address is valid. I can abuse this feature to enumerate valid local user accounts, as detailed in Example 10-6. Example 10-6. Using VRFY to enumerate local users# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you VRFY test 550 5.1.1 test... User unknown VRFY chris 250 2.1.5 Chris McNab <chris@mail2> 10.2.2.1.3 RCPT TO:The RCPT TO: technique is extremely effective at enumerating local user accounts on most Sendmail servers. Many security-conscious network administrators ensure that EXPN and VRFY commands don't return user information, but RCPT TO: enumeration takes advantage of a vulnerability deep within Sendmail (one that isn't easily removed). Example 10-7 shows standard HELO and MAIL FROM: commands being issued, along with a plethora of RCPT TO: commands to enumerate local users. Example 10-7. Using RCPT TO: to enumerate local users# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:admin 550 5.1.1 admin... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok Even Sendmail services protected by a firewall SMTP proxy (such as the SMTP fixup functionality within Cisco PIX) are vulnerable to the RCPT TO: attack. Example 10-8 demonstrates how suspicious commands such as EXPN, VRFY, and HELP are filtered, but RCPT TO: enumeration is still possible. Example 10-8. Enumerating users through a firewall with an SMTP proxy# telnet 10.0.10.10 25 Trying 10.0.10.10... Connected to 10.0.10.10. Escape character is '^]'. 220 ************************0*0*0*0*0*0*******2******2002********0 HELO world 250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to meet you EXPN test 500 5.5.1 Command unrecognized: "XXXX test" VRFY test 500 5.5.1 Command unrecognized: "XXXX test" HELP 500 5.5.1 Command unrecognized: "XXXX" MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok RCPT TO:nick 250 2.1.5 nick... Recipient ok 10.2.2.2 Automating Sendmail user enumerationBoth RCPT TO: and VRFY user enumeration attacks can be automatically launched from the Brutus brute-force utility available from http://www.hoobie.net/brutus/. The Brutus program uses plug-ins known as Brutus Application Definition (BAD) files, and the following BAD files allow you to perform user enumeration attacks:
mailbrute is another utility that can enumerate valid user accounts through this technique. The tool, which is available from http://examples.oreilly.com/networksa/tools/mailbrute.c, can be compiled and run from any Unix-like environment. 10.2.2.3 Sendmail process manipulation vulnerabilitiesOver the years, plenty of remote vulnerabilities have been found in Sendmail. At the time of writing, the MITRE CVE list details the following serious vulnerabilities in Sendmail (not including denial of service or locally exploitable issues), as shown in Table 10-1.
10.2.3 Microsoft Exchange SMTP ServiceThe SMTP component of Microsoft Exchange is fairly resilient to remote attack, and has been found to be susceptible to only two remotely exploitable buffer overflows that result in arbitrary commands being executed: the EHLO command reverse DNS lookup overflow (CVE-2002-0698) and the XEXCH50 request heap overflow (CVE-2003-0714). The serious remotely exploitable issues that have been publicized over recent years are denial-of-service and mail-relay problems. Table 10-2 lists these remotely exploitable issues as found in the MITRE CVE list at the time of writing.
10.2.4 SMTP Open Relay TestingPoorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers (see Section 6.4.6). Example 10-9 shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email. Example 10-9. Sending email to spam_me@hotmail.com through mail.example.org# telnet mail.example.org 25 Trying 192.168.0.25... Connected to 192.168.0.25. Escape character is '^]'. 220 mail.example.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sun, 5 Oct 2003 18:50:59 +0100 HELO 250 mail.example.org Hello [192.168.0.1] MAIL FROM: spammer@spam.com 250 2.1.0 spammer@spam.com....Sender OK RCPT TO: spam_me@hotmail.com 250 2.1.5 spam_me@hotmail.com DATA 354 Start mail input; end with <CRLF>.<CRLF> This is a spam test! . 250 2.6.0 <MAIL7jF0R3rfWX300000001@mail.example.org> Queued mail for delivery QUIT Most systems respond to a RCPT TO: request in the following manner if you attempt to relay unsolicited email through them: RCPT TO: spam_me@hotmail.com 550 5.7.1 Unable to relay for spam_me@hotmail.com The following Microsoft KB articles discuss SMTP service configuration relating to open relays and the Exchange SMTP subsystem:
10.2.5 SMTP Relay and Anti-Virus CircumventionMany organizations run inbound SMTP relay servers that can "scrub" email to detect and remove viruses, spam, and other adverse material before forwarding the email to the internal network. These services can be circumvented and bypassed in some cases, as discussed next. In 2000, I identified a serious flaw in Clearswift MAILsweeper 4.2 that used malformed MIME headers to relay viruses without being quarantined. Since then, other security issues have been identified within MAILsweeper that can relay viruses unchecked. Table 10-3 summarizes the issues identified in MAILsweeper as listed in the ISS X-Force database at http://xforce.iss.net.
The malformed MIME headers issue was reported to the vendor in February 2001 and is listed in Table 10-3 as the "file blocker" filter bypass. The technique was extremely simple, involving two MIME fields related to email attachments (filename and name). Example 10-10 shows a legitimate email message and attachment generated by Outlook or any current email client, from john@example.org to mickey@example.org with the text/plain attachment report.txt. Example 10-10. A standard Outlook generated email message with an attachmentFrom: John Smith <john@example.org> To: Mickey Mouse <mickey@example.org> Subject: That report Date: Thurs, 22 Feb 2001 13:38:19 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.23) Content-Type: multipart/mixed ; boundary="----_=_NextPart_000_02D35B68.BA121FA3" Status: RO This message is in MIME format. Since your mail reader doesn't understand this format, some or all of this message may not be legible. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; charset="iso-8859-1" Mickey, Here's that report you were after. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="report.txt" Content-Disposition: attachment; filename="report.txt" < data for the text document here > - ------_=_NextPart_000_02D35B68.BA121FA3 The vulnerability exists in the way that the MAILsweeper SMTP relay and Outlook email clients open the report.txt file. The MAILsweeper gateway reads the name value (report.txt) when processing and scanning the file for viruses and malicious code, and the Outlook client reads the filename value (report.txt) when opening and processing the file on the user desktop. Any type of malicious virus or Trojan horse program can pass through this filter and make its way to the user desktop by modifying the MIME name and filename values. To send a malicious executable, set the name to an unobjectionable value that won't be processed for virus code (report.txt) and the filename value to a type that won't be executed client-side (report.vbs), as shown here: - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="report.txt" Content-Disposition: attachment; filename="report.vbs" There are plenty of these issues within filtering packages such as MIMEsweeper. It is therefore important that networks are set up with defense in depth, to prevent known viruses from being pushed through such filters and making their way to the user desktop. To learn more, check CVE-2002-1121 in the MITRE CVE list at http://cve.mitre.org, which relates to RFC2046 message fragmentation and assembly. The following SMTP gateway products are susceptible to mail-fragmentation issues:
|