10.2 SMTP

Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.

10.2.1 SMTP Service Fingerprinting

Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain the SMTP service in use:^[1]

^[1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

smtpmap: http://freshmeat.net/projects/smtpmap
smtpscan: http://www.greyhats.org/outils/smtpscan/smtpscan-0.2.tar.gz

Both tools are launched from Unix-like platforms. Example 10-1 shows the smtpmap command in use, identifying the mail service on mail.trustmatta.com as Lotus Domino 5.0.9a.

Example 10-1. The smtpmap tool in use

# smtpmap mail.trustmatta.com smtp-map 0.8 Scanning mail.trustmatta.com ( [ 192.168.0.1 ] mail ) 100 % done scan According to configuration the server matches the following :   Version                                       Probability Lotus Domino Server 5.0.9a                      100 % Microsoft MAIL Service, Version: 5.5.1877.197.1 90.2412 % Microsoft MAIL Service, Version: 5.0.2195.2966  87.6661 % According to RFC the server matches the following :   Version                                       Probability Lotus Domino Server 5.0.9a                      100 % AnalogX Proxy 4.10                              85.4869 % Sendmail 8.10.1                                 76.1912 % Overall Fingerprinting the server matches the following :   Version                                       Probability Lotus Domino Server 5.0.9a                      100 % Exim 4.04                                       67.7031 % Exim 4.10 (without auth)                        66.7393 %

The smtpscan utility analyzes slightly different aspects of the SMTP service, predicting that the same SMTP service is Lotus Domino 5.0.8, as shown in Example 10-2.

Example 10-2. The smtpscan tool in use

# smtpscan mail.trustmatta.com smtpscan version 0.1   Scanning mail.trustmatta.com (192.168.0.1) port 25   15 tests available   77 fingerprints in the database ............... Result -- 250:501:501:250:501:250:250:214:252:252:502:250:250:250:250 SMTP server corresponding :   - Lotus Domino Release 5.0.8

Most of the time an accurate SMTP service banner is presented, so deep analysis isn't required. Example 10-3 shows that the TrustMatta mail server is running Lotus Domino Version 6 beta.

Example 10-3. The SMTP service banner for mail.trustmatta.com is revealed

# telnet mail.trustmatta.com 25 Trying 192.168.0.1... Connected to mail.trustmatta.com. Escape character is '^]'. 220 mail.trustmatta.com ESMTP Service (Lotus Domino Build V65_M2) ready at Tue, 30 Sep 2003 16:34:33 +0100

10.2.2 Sendmail

Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD, and others. Sendmail is particularly vulnerable to information leak attacks in which local account usernames can be extracted, and process-manipulation attacks in which Sendmail functions such as prescan( ) are abused to execute arbitrary code.

10.2.2.1 Sendmail information leak exposures

If the Sendmail banner is obfuscated or modified, the true version of Sendmail can usually be ascertained by issuing a HELP command, as shown in Example 10-4; in this case it reveals that the server is running SMI Sendmail 8.9.3.

Example 10-4. Obtaining the exact version of Sendmail using HELP

# telnet mx4.sun.com 25 Trying 192.18.42.14... Connected to nwkea-mail-2.sun.com. Escape character is '^]'. 220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003 02:25:20 -0800 (PST) HELO world 250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20] (may be forged), pleased to meet you HELP 214-This is Sendmail version 8.9.3+Sun 214-Commands: 214-    HELO    MAIL    RCPT    DATA    RSET 214-    NOOP    QUIT    HELP    VRFY    EXPN 214-For more info use "HELP <topic>". 214-smtp 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information contact postmaster at this site. 214 End of HELP info

Valid local user account details can be enumerated by issuing EXPN, VRFY, or RCPT TO: commands, as discussed in the following examples.

10.2.2.1.1 EXPN

The Sendmail EXPN command is historically used to expand details for a given email address, as shown in Example 10-5.

Example 10-5. Using EXPN to enumerate local users

# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you EXPN test 550 5.1.1 test... User unknown EXPN root 250 2.1.5 <chris.mcnab@trustmatta.com> EXPN sshd 250 2.1.5 sshd privsep <sshd@mail2>

By analyzing the responses to these EXPN commands, I ascertain that the test user account doesn't exist, mail for root is forwarded to chris.mcnab@trustmatta.com, and an sshd user account is allocated for privilege separation (privsep) purposes.

10.2.2.1.2 VRFY

The Sendmail VRFY command is historically used to verify that a given SMTP email address is valid. I can abuse this feature to enumerate valid local user accounts, as detailed in Example 10-6.

Example 10-6. Using VRFY to enumerate local users

# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you VRFY test 550 5.1.1 test... User unknown VRFY chris 250 2.1.5 Chris McNab <chris@mail2>

10.2.2.1.3 RCPT TO:

The RCPT TO: technique is extremely effective at enumerating local user accounts on most Sendmail servers. Many security-conscious network administrators ensure that EXPN and VRFY commands don't return user information, but RCPT TO: enumeration takes advantage of a vulnerability deep within Sendmail (one that isn't easily removed). Example 10-7 shows standard HELO and MAIL FROM: commands being issued, along with a plethora of RCPT TO: commands to enumerate local users.

Example 10-7. Using RCPT TO: to enumerate local users

# telnet 10.0.10.11 25 Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 -0700 (MST) HELO world 250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:admin 550 5.1.1 admin... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok

Even Sendmail services protected by a firewall SMTP proxy (such as the SMTP fixup functionality within Cisco PIX) are vulnerable to the RCPT TO: attack. Example 10-8 demonstrates how suspicious commands such as EXPN, VRFY, and HELP are filtered, but RCPT TO: enumeration is still possible.

Example 10-8. Enumerating users through a firewall with an SMTP proxy

# telnet 10.0.10.10 25 Trying 10.0.10.10... Connected to 10.0.10.10. Escape character is '^]'. 220 ************************0*0*0*0*0*0*******2******2002********0 HELO world 250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to meet you EXPN test 500 5.5.1 Command unrecognized: "XXXX test" VRFY test 500 5.5.1 Command unrecognized: "XXXX test" HELP 500 5.5.1 Command unrecognized: "XXXX" MAIL FROM:test@test.org 250 2.1.0 test@test.org... Sender ok RCPT TO:test 550 5.1.1 test... User unknown RCPT TO:chris 250 2.1.5 chris... Recipient ok RCPT TO:nick 250 2.1.5 nick... Recipient ok

10.2.2.2 Automating Sendmail user enumeration

Both RCPT TO: and VRFY user enumeration attacks can be automatically launched from the Brutus brute-force utility available from http://www.hoobie.net/brutus/. The Brutus program uses plug-ins known as Brutus Application Definition (BAD) files, and the following BAD files allow you to perform user enumeration attacks:

http://www.hoobie.net/brutus/SMTP_VRFY_User.bad

http://www.hoobie.net/brutus/SMTP_RCPT_User.bad

mailbrute is another utility that can enumerate valid user accounts through this technique. The tool, which is available from http://examples.oreilly.com/networksa/tools/mailbrute.c, can be compiled and run from any Unix-like environment.

10.2.2.3 Sendmail process manipulation vulnerabilities

Over the years, plenty of remote vulnerabilities have been found in Sendmail. At the time of writing, the MITRE CVE list details the following serious vulnerabilities in Sendmail (not including denial of service or locally exploitable issues), as shown in Table 10-1.

Table 10-1. Remotely exploitable Sendmail vulnerabilities
CVE name	Date	Notes
CVE-1999-0047	01/01/1997	MIME overflow in Sendmail 8.8.3 and 8.8.4.
CVE-1999-0163	Unknown	In older versions of Sendmail, an attacker could use a pipe character to execute root commands.
CVE-1999-0204	23/02/1995	Sendmail 8.6.9 remote ident overflow.
CVE-1999-0206	08/10/1996	MIME overflow in Sendmail 8.8.0 and 8.8.1.
CVE-1999-1506	29/01/1990	Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote bin access.
CVE-2002-1337	03/03/2003	Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the `crackaddr( )` function of headers.c.
CVE-2003-0161	29/03/2003	The `prescan( )` function in Sendmail before 8.12.9 doesn't properly handle certain conversions from `char` and `int` types, causing denial of service or possible execution of arbitrary code.
CVE-2003-0694	17/09/2003	The `prescan( )` function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code.

10.2.3 Microsoft Exchange SMTP Service

The SMTP component of Microsoft Exchange is fairly resilient to remote attack, and has been found to be susceptible to only two remotely exploitable buffer overflows that result in arbitrary commands being executed: the EHLO command reverse DNS lookup overflow (CVE-2002-0698) and the XEXCH50 request heap overflow (CVE-2003-0714). The serious remotely exploitable issues that have been publicized over recent years are denial-of-service and mail-relay problems. Table 10-2 lists these remotely exploitable issues as found in the MITRE CVE list at the time of writing.

Table 10-2. Remotely exploitable Exchange SMTP vulnerabilities
CVE name	Date	Notes
CVE-1999-0284	01/01/1998	Exchange 4.0 and 5.0 `HELO` denial of service bug.
CVE-1999-0682	06/08/1999	Exchange 5.5 allows a remote attacker to relay email using encapsulated SMTP addresses.
CVE-1999-0945	24/07/1998	Exchange 5.0 and 5.5 `AUTH` and `AUTHINFO` denial-of-service vulnerability.
CVE-1999-1043	24/07/1998	Exchange 5.0 and 5.5 malformed SMTP data denial-of-service vulnerability.
CVE-2000-1006	31/10/2000	Exchange Server 5.5 malformed MIME header denial-of-service vulnerability.
CVE-2002-0054	27/02/2002	SMTP service in Windows 2000 and Exchange 5.5 allows mail relay through a null `AUTH` command.
CVE-2002-0055	27/02/2002	SMTP service in Windows 2000, Windows XP Professional, and Exchange 2000 malformed `BDAT` command denial-of-service vulnerability.
CVE-2002-0698	25/07/2002	Exchange 5.5 allows remote attackers to execute arbitrary code via an `EHLO` request from a system with a long name as obtained through a reverse DNS lookup, triggering a buffer overflow.
CVE-2003-0714	15/10/2003	Exchange 5.5 and 2000 allows remote attackers to execute arbitrary code via a crafted `XEXCH50` request.

10.2.4 SMTP Open Relay Testing

Poorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers (see Section 6.4.6). Example 10-9 shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email.

Example 10-9. Sending email to spam_me@hotmail.com through mail.example.org

# telnet mail.example.org 25 Trying 192.168.0.25... Connected to 192.168.0.25. Escape character is '^]'. 220 mail.example.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at  Sun, 5 Oct 2003 18:50:59 +0100 HELO 250 mail.example.org Hello [192.168.0.1] MAIL FROM: spammer@spam.com 250 2.1.0 spammer@spam.com....Sender OK RCPT TO: spam_me@hotmail.com 250 2.1.5 spam_me@hotmail.com DATA 354 Start mail input; end with <CRLF>.<CRLF> This is a spam test! . 250 2.6.0 <MAIL7jF0R3rfWX300000001@mail.example.org> Queued mail for delivery QUIT

Most systems respond to a RCPT TO: request in the following manner if you attempt to relay unsolicited email through them:

RCPT TO: spam_me@hotmail.com 550 5.7.1 Unable to relay for spam_me@hotmail.com

The following Microsoft KB articles discuss SMTP service configuration relating to open relays and the Exchange SMTP subsystem:

http://support.microsoft.com/?kbid=324958

http://support.microsoft.com/?kbid=310380

10.2.5 SMTP Relay and Anti-Virus Circumvention

Many organizations run inbound SMTP relay servers that can "scrub" email to detect and remove viruses, spam, and other adverse material before forwarding the email to the internal network. These services can be circumvented and bypassed in some cases, as discussed next.

In 2000, I identified a serious flaw in Clearswift MAILsweeper 4.2 that used malformed MIME headers to relay viruses without being quarantined. Since then, other security issues have been identified within MAILsweeper that can relay viruses unchecked. Table 10-3 summarizes the issues identified in MAILsweeper as listed in the ISS X-Force database at http://xforce.iss.net.

Table 10-3. MAILsweeper circumvention issues
ISS XFID	Notes
6801	MAILsweeper 4.2 and prior "file blocker" filter bypass
11495	MAILsweeper 4.3.7 and prior MIME encapsulation filter bypass
11745	MAILsweeper 4.3.6 SP1 and prior "on strip successful" filter bypass

The malformed MIME headers issue was reported to the vendor in February 2001 and is listed in Table 10-3 as the "file blocker" filter bypass. The technique was extremely simple, involving two MIME fields related to email attachments (filename and name).

Example 10-10 shows a legitimate email message and attachment generated by Outlook or any current email client, from john@example.org to mickey@example.org with the text/plain attachment report.txt.

Example 10-10. A standard Outlook generated email message with an attachment

From: John Smith <john@example.org> To: Mickey Mouse <mickey@example.org>  Subject: That report Date: Thurs, 22 Feb 2001 13:38:19 -0000  MIME-Version: 1.0  X-Mailer: Internet Mail Service (5.5.23)  Content-Type: multipart/mixed ;  boundary="----_=_NextPart_000_02D35B68.BA121FA3"  Status: RO  This message is in MIME format. Since your mail reader doesn't  understand this format, some or all of this message may not be legible.  - ------_=_NextPart_000_02D35B68.BA121FA3  Content-Type: text/plain; charset="iso-8859-1"  Mickey, Here's that report you were after. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain;          name="report.txt" Content-Disposition: attachment;         filename="report.txt" < data for the text document here > - ------_=_NextPart_000_02D35B68.BA121FA3

The vulnerability exists in the way that the MAILsweeper SMTP relay and Outlook email clients open the report.txt file. The MAILsweeper gateway reads the name value (report.txt) when processing and scanning the file for viruses and malicious code, and the Outlook client reads the filename value (report.txt) when opening and processing the file on the user desktop.

Any type of malicious virus or Trojan horse program can pass through this filter and make its way to the user desktop by modifying the MIME name and filename values. To send a malicious executable, set the name to an unobjectionable value that won't be processed for virus code (report.txt) and the filename value to a type that won't be executed client-side (report.vbs), as shown here:

- ------_=_NextPart_000_02D35B68.BA121FA3  Content-Type: text/plain;          name="report.txt"  Content-Disposition: attachment;          filename="report.vbs"

There are plenty of these issues within filtering packages such as MIMEsweeper. It is therefore important that networks are set up with defense in depth, to prevent known viruses from being pushed through such filters and making their way to the user desktop.

To learn more, check CVE-2002-1121 in the MITRE CVE list at http://cve.mitre.org, which relates to RFC2046 message fragmentation and assembly. The following SMTP gateway products are susceptible to mail-fragmentation issues:

GFI MailSecurity for Exchange prior to Version 7.2
InterScan VirusWall prior to Version 3.52 build 1494
MIMEDefang prior to Version 2.21