11. Assessing Email Services

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 11. Assessing Email Services

Email services serve and relay email messages across the Internet and private networks. Due to the nature of these services, channels between the Internet and corporate network space are opened, which determined attackers abuse to compromise internal networks. This chapter defines a strategy for assessing email services, through accurate service identification, enumeration of enabled options, and testing for known issues.

Email Service Protocols

Common ports used for email delivery and collection through SMTP, POP-2, POP-3, and IMAP are as follows:

smtp            25/tcp
pop2            109/tcp
pop3            110/tcp
imap2           143/tcp
submission      587/tcp

SSL-wrapped versions of these mail services are often found running on the following ports:

smtps           465/tcp
imaps           993/tcp
pop3s           995/tcp

An SSL tunnel must first be established (using a tool such as stunnel) to assess these services. Then, standard assessment tools can be used through the SSL tunnel to test the services.

SMTP

Most organizations with an Internet presence use email to communicate and to do business. Simple Mail Transfer Protocol (SMTP) servers provide email transport via software packages such as Sendmail, Microsoft Exchange, Lotus Domino, and Postfix. Here I discuss the techniques used to identify and exploit SMTP services.

SMTP Service Fingerprinting

Accurate identification of the SMTP service enables you to make sound decisions and efficiently assess the target system. Two tools in particular perform a number of tests to ascertain the SMTP service in use:

smtpmap (http://freshmeat.net/projects/smtpmap/)

smtpscan (http://www.greyhats.org/outils/smtpscan/smtpscan-0.2.tar.gz)

Both tools are launched from Unix-like platforms. Example 11-1 shows the smtpmap tool in use, identifying the mail service on mail.trustmatta.com as Lotus Domino 5.0.9a.

Example 11-1. The smtpmap tool in use

$ smtpmap mail.trustmatta.com
smtp-map 0.8

Scanning mail.trustmatta.com ( [ 192.168.0.1 ] mail )
100 % done scan

According to configuration the server matches the following :
  Version                                       Probability
Lotus Domino Server 5.0.9a                      100 %
Microsoft MAIL Service, Version: 5.5.1877.197.1 90.2412 %
Microsoft MAIL Service, Version: 5.0.2195.2966  87.6661 %

According to RFC the server matches the following :
  Version                                       Probability
Lotus Domino Server 5.0.9a                      100 %
AnalogX Proxy 4.10                              85.4869 %
Sendmail 8.10.1                                 76.1912 %

Overall Fingerprinting the server matches the following :
  Version                                       Probability
Lotus Domino Server 5.0.9a                      100 %
Exim 4.04                                       67.7031 %
Exim 4.10 (without auth)                        66.7393 %

The smtpscan tool analyzes slightly different aspects of the SMTP service, predicting that the same SMTP service is Lotus Domino 5.0.8, as shown in Example 11-2.

Example 11-2. The smtpscan tool in use

$ smtpscan mail.trustmatta.com
smtpscan version 0.1

  Scanning mail.trustmatta.com (192.168.0.1) port 25
  15 tests available
  77 fingerprints in the database

...............

Result --
250:501:501:250:501:250:250:214:252:252:502:250:250:250:250
SMTP server corresponding :
  - Lotus Domino Release 5.0.8

Most of the time an accurate SMTP service banner is presented, so deep analysis isn’t required. Example 11-3 shows that the mail server is running Lotus Domino version 6 beta.

Example 11-3. The SMTP service banner for mail.trustmatta.com is revealed

$ telnet mail.trustmatta.com 25

Trying 192.168.0.1...
Connected to mail.trustmatta.com.
Escape character is '^]'.
220 mail.trustmatta.com ESMTP Service (Lotus Domino Build V65_M2)
ready at Tue, 30 Sep 2003 16:34:33 +0100

Enumerating Enabled SMTP Subsystems and Features

A number of exploitable issues in SMTP services such as Microsoft Exchange depend on support for certain Extended SMTP (ESMTP) features. These subsystems and features are enumerated by issuing an EHLO command upon connecting to the target SMTP server, as shown in Example 11-4.

Example 11-4. ESMTP subsystems on a Microsoft Exchange server

$ telnet 192.168.0.104

Trying 192.168.0.104...
Connected to 192.168.0.104.
Escape character is '^]'.
220 uranus.local Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready
at  Wed, 27 Jun 2007 21:38:52 +0200
EHLO world
250-uranus.local Hello [192.168.0.15]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK
QUIT
221 2.0.0 uranus.local Service closing transmission channel

You can find details of Extended SMTP features online at http://en.wikipedia.org/wiki/smtp_extension.

SMTP Brute-Force Password Grinding

Upon identifying an SMTP server that support authentication (AUTH) methods, as shown in Example 11-5, we can perform a brute-force password grinding attack to compromise valid credentials.

Example 11-5. Enumerating authentication methods using EHLO

$ telnet mail.example.org 25
Trying 192.168.0.25...
Connected to 192.168.0.25.
Escape character is '^]'.
220 mail.example.org ESMTP
EHLO world
250-mail.example.org
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME

The SMTP server at mail.example.org supports three very common authentication types, as follows:

LOGIN (plain text authentication using base64 encoding)
PLAIN (variant plain text authentication using base64 encoding)
CRAM-MD5 [MD5 shared secret authentication (RFC 2195)]

The LOGIN authentication mechanism can be attacked using THC Hydra using the smtp-auth command-line option to perform brute-force password grinding for known user accounts. Other less common SMTP authentication mechanisms, supported by other mail servers, include:

DIGEST-MD5 (HTTP digest compatible challenge-response scheme [RFC 2831])
GSSAPI (Kerberos V authentication via the GSSAPI)
NTLM (Microsoft NT LAN Manager authentication [http://curl.haxx.se/rfc/ntlm.html])
OTP (one-time password mechanism [RFC 2444])

Unfortunately, publicly available brute-force password grinding tools don’t exist for these authentication mechanisms at this time. Deeper technical discussion of various authentication mechanisms can be undertaken through reviewing the respective RFC documents and browsing Wikipedia.

NTLM overflows through SMTP authentication

If NTLM authentication is supported, LSASS overflows (CVE-2003-0818 and CVE-2003-0533) can be launched to execute arbitrary code server-side. At the time of this writing, neither CORE IMPACT nor MSF support LSASS attacks through SMTP in this way, but Immunity CANVAS has an exploit for CVE-2003-0818 through SMTP, as shown here:

$ ./exploits/asn1/asn1.py

Available versions:
        0 : Autoversioning N/A
        1 : Exploit LSASS.EXE through SMB (use default, port: 445)
        2 : Exploit LSASS.EXE through IIS (use default, port: 80)
        3 : Exploit LSASS.EXE through IIS HTTPS (use default, port: 443)
        4 : Exploit LSASS.EXE through NETBIOS (use default, port: 139)
        5 : Exploit LSASS.EXE through EXCHANGE (use default, port: 25, unstable)

SMTP Open Relay Testing

Poorly configured SMTP services are used to relay unsolicited email, in much the same way as open web proxy servers. Example 11-6 shows a poorly configured Microsoft Exchange server being abused by an attacker to relay email. Increasingly, open SMTP relays exist through the use of weak passwords, which are brute-forced using the mechanisms discussed in the previous section.

Example 11-6. Sending email to [email protected] through mail.example.org

$ telnet mail.example.org 25
Trying 192.168.0.25...
Connected to 192.168.0.25.
Escape character is '^]'.
220 mail.example.org Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready
at  Sun, 5 Oct 2003 18:50:59 +0100
HELO
250 mail.example.org Hello [192.168.0.1]
MAIL FROM: [email protected]
250 2.1.0 [email protected] OK
RCPT TO: [email protected]
250 2.1.5 [email protected]" CLASS="URL">[email protected]
DATA
354 Start mail input; end with <CRLF>.<CRLF>
This is a spam test!
.
250 2.6.0 <[email protected]> Queued mail for delivery
QUIT

Most systems respond to a RCPT TO: request in the following manner if you attempt to relay unsolicited email through them:

RCPT TO: [email protected]
550 5.7.1 Unable to relay for [email protected]

Microsoft KB article 324958 (http://support.microsoft.com/?kbid=324958) describes how to secure open SMTP relays when using Microsoft Exchange.

Sendmail Assessment

Most Unix-based systems run Sendmail, including Linux, Solaris, OpenBSD, and others. Sendmail is particularly vulnerable to information leak attacks in which local account usernames can be extracted, and also process manipulation attacks in which Sendmail functions such as prescan( ) are abused to execute arbitrary code.

Sendmail information leak exposures

If the Sendmail banner is obfuscated or modified, the true version of Sendmail can usually be ascertained by issuing a HELP command, as shown in Example 11-7; in this case it reveals that the server is running Sun Microsystems Sendmail 8.9.3.

Example 11-7. Obtaining the exact version of Sendmail using HELP

$ telnet mx4.sun.com 25
Trying 192.18.42.14...
Connected to nwkea-mail-2.sun.com.
Escape character is '^]'.
220 nwkea-mail-2.sun.com ESMTP Sendmail ready at Tue, 7 Jan 2003 02:25:20 −0800 (PST)
HELO world
250 nwkea-mail-2.sun.com Hello no-dns-yet.demon.co.uk [62.49.20.20] (may be
forged), pleased to meet you
HELP
214-This is Sendmail version 8.9.3+Sun
214-Commands:
214-    HELO    MAIL    RCPT    DATA    RSET
214-    NOOP    QUIT    HELP    VRFY    EXPN
214-For more info use "HELP <topic>".
214-smtp
214-To report bugs in the implementation contact Sun Microsystems
214-Technical Support.
214-For local information contact postmaster at this site.
214 End of HELP info

Valid local user account details can be enumerated by issuing EXPN, VRFY, or RCPT TO: commands, as shown in the following examples.

EXPN.

The Sendmail EXPN command is historically used to expand details for a given email address, as shown in Example 11-8.

Example 11-8. Using EXPN to enumerate local users

$ telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you
EXPN test
550 5.1.1 test... User unknown
EXPN root
250 2.1.5 <[email protected]>
EXPN sshd
250 2.1.5 sshd privsep <sshd@mail2>

By analyzing the responses to these EXPN commands, I ascertain that the test user account doesn’t exist, mail for root is forwarded to [email protected], and an sshd user account is allocated for privilege separation (privsep) purposes.

VRFY.

The Sendmail VRFY command is typically used to verify that a given SMTP email address is valid. I can abuse this feature to enumerate valid local user accounts, as detailed in Example 11-9.

Example 11-9. Using VRFY to enumerate local users

$ telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you
VRFY test
550 5.1.1 test... User unknown
VRFY chris
250 2.1.5 Chris McNab <chris@mail2>

RCPT TO:.

The RCPT TO: technique is extremely effective at enumerating local user accounts on most Sendmail servers. Many security-conscious network administrators ensure that EXPN and VRFY commands don’t return user information, but RCPT TO: enumeration takes advantage of a vulnerability deep within Sendmail (one that isn’t easily removed). Example 11-10 shows standard HELO and MAIL FROM: commands being issued, along with a plethora of RCPT TO: commands to enumerate local users.

Example 11-10. Using RCPT TO: to enumerate local users

$ telnet 10.0.10.11 25
Trying 10.0.10.11...
Connected to 10.0.10.11.
Escape character is '^]'.
220 mail2 ESMTP Sendmail 8.12.6/8.12.5 ready at Wed, 8 Jan 2003 03:19:58 −0700 (MST)
HELO world
250 mail2 Hello onyx [192.168.0.252] (may be forged), pleased to meet you
MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:admin
550 5.1.1 admin... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok

Even Sendmail services protected by a firewall SMTP proxy (such as the SMTP fixup functionality within Cisco PIX) are vulnerable to the RCPT TO: attack. Example 11-11 demonstrates how suspicious commands such as EXPN, VRFY, and HELP are filtered, but RCPT TO: enumeration is still possible.

Example 11-11. Enumerating users through a firewall SMTP proxy

$ telnet 10.0.10.10 25
Trying 10.0.10.10...
Connected to 10.0.10.10.
Escape character is '^]'.
220 ************************0*0*0*0*0*0*******2******2002********0
HELO world
250 mailserv.trustmatta.com Hello onyx [192.168.0.252], pleased to meet you
EXPN test
500 5.5.1 Command unrecognized: "XXXX test"
VRFY test
500 5.5.1 Command unrecognized: "XXXX test"
HELP
500 5.5.1 Command unrecognized: "XXXX"
MAIL FROM:[email protected]
250 2.1.0 [email protected]... Sender ok
RCPT TO:test
550 5.1.1 test... User unknown
RCPT TO:chris
250 2.1.5 chris... Recipient ok
RCPT TO:nick
250 2.1.5 nick... Recipient ok

Automating Sendmail user enumeration

Both RCPT TO: and VRFY user enumeration attacks can be automatically launched from the Brutus brute-force utility available from http://www.hoobie.net/brutus/. The Brutus program uses plug-ins known as Brutus Application Definition (BAD) files, and the following BAD files allow you to perform user enumeration attacks:

http://www.hoobie.net/brutus/smtp_vrfy_user.bad

http://www.hoobie.net/brutus/smtp_rcpt_user.bad

mailbrute is another utility that can enumerate valid user accounts through this technique. The tool, which is available from http://examples.oreilly.com/networksa/tools/mailbrute.c, can be compiled and run from any Unix-like environment.

Sendmail process manipulation vulnerabilities

Over the years, plenty of remote vulnerabilities have been found in Sendmail. At the time of this writing, the MITRE CVE list details the following serious vulnerabilities in Sendmail (not including denial-of-service or locally exploitable issues), as shown in Table 11-1.

Table 11-1. Remotely exploitable Sendmail vulnerabilities

CVE reference	Date	Notes
CVE-2006-0058	22/03/2006	Sendmail 8.13.5 signal handler race condition resulting in arbitrary code execution.
CVE-2004-0833	27/09/2004	Sendmail 8.12.3 Debian 3.0 sasl configuration creates SMTP open relay through default account settings.
CVE-2003-0694	17/09/2003	The prescan( ) function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code.
CVE-2003-0161	29/03/2003	The prescan( ) function in Sendmail before 8.12.9 doesn’t properly handle certain conversions from char and int types, causing denial of service or possible execution of arbitrary code.
CVE-2002-1337	03/03/2003	Buffer overflow in Sendmail 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, as processed by the crackaddr( ) function of headers.c.
CVE-2002-0906	28/06/2002	Sendmail 8.12.4 and earlier, if running in a nondefault configuration, can be compromised by an attacker using an authoritative DNS server to provide a malformed TXT record to the mail server upon connecting.
CVE-1999-1506	29/01/1990	Vulnerability in SMI Sendmail 4.0 and earlier, on SunOS up to 4.0.3, allows remote bin access.
CVE-1999-0206	08/10/1996	MIME overflow in Sendmail 8.8.0 and 8.8.1.
CVE-1999-0204	23/02/1995	Sendmail 8.6.9 remote ident overflow.
CVE-1999-0163	Unknown	In older versions of Sendmail, an attacker could use a pipe character to execute root commands.
CVE-1999-0047	01/01/1997	MIME overflow in Sendmail 8.8.3 and 8.8.4.

Sendmail exploit scripts

Exploit scripts for these vulnerabilities are publicly available from archive sites such as Packet Storm (http://www.packetstormsecurity.org). At the time of this writing, neither MSF nor Immunity CANVAS support any of these Sendmail issues. CORE IMPACT supports CVE-2002-1337 (Sendmail 8.12.7 crackaddr( ) overflow).

Microsoft SMTP Service Assessment

A number of serious remotely exploitable issues have been identified in the Microsoft Exchange SMTP service over the last few years. A number of zero-day denial-of-service issues also exist in Microsoft Exchange at the time of this writing, one of which is found in the Argeniss exploit pack for Immunity CANVAS. In light of this, it is not advisable to run the service exposed to the public Internet. Table 11-2 lists remotely exploitable issues as found in MITRE CVE at the time of this writing.

Table 11-2. Remotely exploitable Microsoft Exchange SMTP vulnerabilities

CVE reference	Date	Notes
CVE-2007-0213	08/05/2007	Exchange Server 2007 base64-encoded MIME message overflow.
CVE-2006-0027	09/05/2006	Exchange Server 2003 SP2 message calendar (iCal) attachment heap overflow.
CVE-2006-0002	10/01/2006	Exchange Server 2000 SP3 TNEF MIME attachment overflow.
CVE-2005-0560	12/04/2005	Exchange Server 2003 X-LINK2STATE command overflow.
CVE-2005-0044	08/02/2005	Exchange Server 2003 OLE data input validation vulnerability.
CVE-2004-0840	12/10/2004	Windows Server 2003 and Exchange 2003 SMTP engine DNS response overflow.
CVE-2003-0714	15/10/2003	Exchange Server 2000 allows remote attackers to execute arbitrary code via a crafted XEXCH50 request.
CVE-2002-0698	25/07/2002	Exchange Server 5.5 allows remote attackers to execute arbitrary code via an EHLO request from a system with a long name as obtained through a reverse DNS lookup, triggering a buffer overflow.
CVE-2002-0055	27/02/2002	SMTP service in Windows 2000, Windows XP Professional, and Exchange Server 2000 malformed BDAT command denial-of-service vulnerability.
CVE-2002-0054	27/02/2002	SMTP service in Windows 2000 and Exchange Server 5.5 allows mail relay through a null AUTH command.
CVE-2000-1006	31/10/2000	Exchange Server 5.5 malformed MIME header denial-of-service vulnerability.
CVE-1999-1043	24/07/1998	Exchange Server 5.5 malformed SMTP data denial-of-service vulnerability.
CVE-1999-0945	24/07/1998	Exchange Server 5.5 AUTH and AUTHINFO denial-of-service vulnerability.
CVE-1999-0682	06/08/1999	Exchange Server 5.5 allows a remote attacker to relay email using encapsulated SMTP addresses.
CVE-1999-0284	01/01/1998	Exchange Server 5.0 HELO denial-of-service bug.

Microsoft Exchange Server exploit scripts

Exploit scripts for these vulnerabilities are publicly available from archive sites such as Packet Storm (http://www.packetstormsecurity.org). At the time of this writing, MSF only supports CVE-2003-0714 (XEXCH50 overflow). Immunity CANVAS supports CVE-2003-0714 and CVE-2005-0560 (X-LINK2STATE overflow), and CORE IMPACT supports CVE-2003-0714, CVE-2005-0560, and CVE-2006-0027 (iCal attachment heap overflow).

GLEG VulnDisco doesn’t cover any Microsoft Exchange Server issues at this time, but the Argeniss 0day ultimate exploits pack contains a zero-day, unpatched, DoS exploit for Exchange Server 2003 and a DoS exploit for a known bug in Exchange Server 2000 (CVE-2007-0213).

SMTP Content Checking Circumvention

Many organizations run inbound SMTP relay servers that can scrub email to detect and remove viruses, spam, and other adverse material before forwarding the email message to the internal network. These services can be circumvented and bypassed in some cases, as discussed next.

In 2000, I identified a serious flaw in Clearswift MAILsweeper 4.2 that used malformed MIME headers to relay viruses without being quarantined. Since then, other security issues have been identified within MAILsweeper that can relay viruses unchecked. Table 11-3 summarizes the issues identified in MAILsweeper as listed in the MITRE CVE list at http://cve.mitre.org.

Table 11-3. MAILsweeper circumvention issues

CVE reference(s)	Date	Notes
CVE-2006-3215 and CVE-2006-3216	21/06/2006	MAILsweeper 4.3.19 character set security bypass issues
CVE-2003-1154	05/11/2003	MAILsweeper 4.3.9 zip archive processing vulnerability
CVE-2003-0928, CVE-2003-0929, and CVE-2003-0930	07/08/2003	MAILsweeper 4.3.14 multiple issues relating to processing compressed archive attachments
CVE-2003-1330	03/02/2003	MAILsweeper 4.3.6 SP1 and prior “on strip successful” filter bypass
CVE-2003-0121	03/03/2003	MAILsweeper 4.3.7 and prior MIME encapsulation filter bypass
CVE-2001-1581	10/04/2001	MAILsweeper 4.2 and prior “file blocker” filter bypass

The malformed MIME headers issue was reported to the vendor in February 2001 and is listed in Table 11-3 as CVE-2003-1330. The technique was extremely simple, involving two MIME fields related to email attachments (filename and name).

Example 11-12 shows a legitimate email message and attachment generated by Outlook or any current email client, from [email protected] to [email protected] with the text/plain attachment report.txt.

Example 11-12. A standard Outlook-generated email message with an attachment

From: John Smith <[email protected]>
To: Mickey Mouse <[email protected]>
Subject: That report
Date: Thurs, 22 Feb 2001 13:38:19 −0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.23)
Content-Type: multipart/mixed ;
boundary="----_=_NextPart_000_02D35B68.BA121FA3"
Status: RO

This message is in MIME format. Since your mail reader doesn't
understand this format, some or all of this message may not be
legible.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain; charset="iso-8859-1"

Mickey,

Here's that report you were after.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
        name="report.txt"
Content-Disposition: attachment;
        filename="report.txt"

< data for the text document here >

- ------_=_NextPart_000_02D35B68.BA121FA3

The vulnerability exists in the way that the MAILsweeper SMTP relay and Outlook email clients open the report.txt file. The MAILsweeper gateway reads the name value (report.txt) when processing and scanning the file for viruses and malicious code, and the Outlook client reads the filename value (report.txt) when opening and processing the file on the user desktop.

Any type of malicious virus or Trojan horse program can pass through this filter and make its way to the user desktop by modifying the MIME name and filename values. To send a malicious executable, set the name to an unobjectionable value that won’t be processed for virus code (report.txt) and the filename value to a type that won’t be executed client-side (report.vbs), as shown here:

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
        name="report.txt"
Content-Disposition: attachment;
        filename="report.vbs"

There are plenty of these issues within filtering packages such as MAILsweeper. It is therefore important that networks are set up with defense in depth to prevent known viruses from being pushed through such filters and making their way to the user desktop.

To learn more, check CVE-2002-1121 in the MITRE CVE list at http://cve.mitre.org, which relates to RFC 2046 message fragmentation and assembly. The following SMTP gateway products are susceptible to mail-fragmentation issues:

GFI MailSecurity for Exchange prior to version 7.2
InterScan VirusWall prior to version 3.52 build 1494
MIMEDefang prior to version 2.21

POP-2 and POP-3

Post Office Protocol 2 and 3 (POP-2 and POP-3) are end user email services. POP-2 services are very rare nowadays, as most organizations use POP-3, which listens on TCP port 110 (or port 995 if using SSL or TLS to provide network encryption). Common POP-3 email services include Qualcomm QPOP (also known as qpopper; it runs on many Unix platforms) and the POP-3 component of Microsoft Exchange. These services are traditionally vulnerable to brute-force password grinding and process manipulation attacks.

POP-3 Brute-Force Password Grinding

After performing enumeration and identifying local user accounts through Sendmail and other avenues, it is trivial to perform a brute-force password grinding attack. As I’ve discussed throughout the book so far, tools such as Brutus and THC Hydra are used to perform fast brute-force password grinding attacks.

Most POP-3 services are susceptible to brute-force password grinding, for the following reasons:

They don’t pay attention to account lockout policies.
They allow a large number of login attempts before disconnecting.
They don’t log unsuccessful login attempts.

Many specific Unix-based POP-3 brute-force tools exist and can be found in the Packet Storm archive, including:

http://packetstormsecurity.org/groups/adm/adm-pop.c

http://packetstormsecurity.org/crackers/pop_crack.tar.gz

http://packetstormsecurity.org/crackers/hv-pop3crack.pl

POP-3 Process Manipulation Attacks

Both unauthenticated and authenticated process manipulation attacks pose a serious threat to security. Most users who pick up email via POP-3 shouldn’t be allowed to execute arbitrary commands on the POP-3 server; however, they can do so via post-authentication overflows in user commands such as LIST, RETR, or DELE.

Qualcomm QPOP process manipulation vulnerabilities

At the time of this writing, the MITRE CVE list details a handful of vulnerabilities in Qualcomm QPOP (not including denial-of-service issues), as shown in Table 11-4. Serious post-authentication vulnerabilities are also listed in Table 11-4 because they allow users to execute arbitrary code on the server.

Table 11-4. Remotely exploitable QPOP vulnerabilities

CVE reference	Date	Notes
CVE-2003-0143	10/03/2003	QPOP 4.0.5fc1 post-authentication MDEF macro name overflow
CVE-2001-1046	02/06/2001	QPOP 4.0.2 USER command overflow
CVE-2000-0442	23/05/2000	QPOP 2.53 post-authentication EUIDL overflow
CVE-2000-0096	26/01/2000	QPOP 3.0 post-authentication LIST overflow
CVE-1999-0822	29/11/1999	QPOP 3.0 AUTH command overflow
CVE-1999-0006	28/06/1998	QPOP 2.5 PASS command overflow

Public exploits for these issues are packaged and available at http://examples.oreilly.com/networksa/tools/qpop-exploits.zip. At the time of this writing, there are no public exploits for the USER overflow (CVE-2001-1046). MSF, Immunity CANVAS, and CORE IMPACT have no support for QPOP issues at this time.

Microsoft Exchange POP-3 process manipulation vulnerabilities

At the time of this writing, no serious remotely exploitable vulnerabilities are known in the Microsoft Exchange POP-3 server. Upon scouring the MITRE CVE list, ISS X-Force database, and CERT knowledge base, no publicized bugs were found. This fact may well change over time, so it is important to check these vulnerability lists to assure the security of this service component into the future.

IMAP

Internet Message Access Protocol (IMAP) services are commonly found running on TCP port 143. The IMAP protocol is much like POP-3; a user authenticates with a plaintext network service and can then collect and manage her email.

Most accessible IMAP servers on the Internet today run the Washington University IMAP service (known as both UW IMAP and WU-IMAP, available from http://www.washington.edu/imap/), along with Courier IMAP (http://www.courier-mta.org/imap/) and Microsoft Exchange IMAP.

IMAP Brute Force

As with many other simple plaintext protocols (Telnet, FTP, POP-3, etc.), Brutus and THC Hydra do a good job of brute-forcing user account passwords from both Unix-based and Windows environments. As mentioned earlier, they can be downloaded from:

http://www.hoobie.net/brutus/brutus-download.html

http://www.thc.org/releases.php

IMAP services, like POP-3, are notoriously susceptible to brute-force password-grinding attacks, as they often do not pay attention to account lockout policies and often do not log failed authentication attempts.

IMAP Process Manipulation Attacks

Table 11-5 lists remotely exploitable UW IMAP and Courier IMAP vulnerabilities, along with MITRE CVE references. At this time, no significant remotely exploitable issues exist in Microsoft Exchange IMAP, according to a number of sources. A number of other issues relate to many other third-party IMAP services that are less common and can be found by searching MITRE CVE manually.

Table 11-5. Remotely exploitable IMAP vulnerabilities

CVE reference	Date	Notes
CVE-2005-2933	04/10/2005	UW IMAP 2004f mailbox name overflow
CVE-2005-0198	28/01/2005	UW IMAP 2004b CRAM-MD5 authentication bypass
CVE-2004-0777	18/08/2004	Courier IMAP 2.2.1 authentication logging format string bug
CVE-2004-0224	11/03/2004	Courier IMAP 2.x unicode character conversion overflow
CVE-2002-0379	10/05/2002	UW IMAP 2000c post-authentication BODY command overflow
CVE-2000-0284	16/04/2000	UW IMAP 4.7 (IMAP4rev1 12.264) post-authentication LIST command overflow
CVE-1999-0042	02/03/1997	UW IMAP 4.1beta LOGIN command overflow
CVE-1999-0005	17/07/1998	UW IMAP 4 (IMAP4rev1 10.234) AUTHENTICATE command overflow

UW IMAP exploit scripts

The following public exploit scripts are available for a number of these vulnerabilities in the accompanying tools archive for this book (http://examples.oreilly.com/networksa/tools/). These exploit scripts are detailed in Table 11-6.

Table 11-6. Publicly available UW IMAP exploit scripts

CVE reference	UW IMAP version	Target platform(s)	Exploit script
CVE-1999-0042	IMAP4rev1 v10.164	Linux & BSD	imaps.tar.gz
CVE-1999-0005	IMAP4rev1 v10.223	Linux	imapd-ex.c
CVE-1999-0005	IMAP4rev1 v10.223	Linux	imapx.c
CVE-1999-0005	IMAP4rev1 v10.223	Linux	imap.c
CVE-1999-0005	IMAP4rev1 v10.205	Solaris (x86)	solx86-imapd.c

The original BugTraq posting and technical details relating to CVE-1999-0005, including the exploit, are available from http://packetstormsecurity.org/new-exploits/imapd4.txt.

CORE IMPACT has no support for UW IMAP or Courier IMAP issues at this time, but it has support for a number of Cyrus IMAP, Lotus Domino IMAP, and MDaemon IMAP issues. Immunity CANVAS also has no UW IMAP or Courier IMAP support, but it has exploit modules for a number of third-party IMAP packages, including MDaemon IMAP and Ipswitch IMAIL IMAP.

MSF supports a very large number of IMAP issues in its stable branch, which can be reviewed at http://framework.metasploit.com/exploits/list.

Email Services Countermeasures

The following countermeasures should be considered when hardening email services:

Don’t run Sendmail or Microsoft Exchange in high-security environments because the software contains many bugs and is heavily bloated. Sound Unix-based alternatives include qmail (http://www.qmail.org) and exim (http://www.exim.org), neither of which is as complex or susceptible to Internet-based attacks. It is advisable to use firewall-secure SMTP services and proxies or dedicated mail-scrubbing appliances to process Internet-based SMTP traffic before passing it onto Sendmail or Microsoft Exchange servers.
To minimize the impact of a user enumeration and password-grinding attack, ensure that all user accounts on SMTP and POP-3 mail servers have strong passwords. Ideally, SMTP servers shouldn’t also run remote maintenance or email pickup services to the public Internet.
If you do offer public POP-3 or IMAP mail services, investigate their resilience from brute-force attack, including logging provisions and whether an account lockout policy can be deployed.
Using SSL-wrapped versions of POP-3 and IMAP services will minimize the risk of plaintext user account password details from being sniffed. Plaintext services are open to determined attack, so you need either SSL or VPN client software to protect both passwords and the email data sent from point to point.
Ensure that inbound commercial SMTP relay and anti-virus scanners (such as Clearswift MAILsweeper and InterScan VirusWall) are patched and maintained to prevent circumvention attacks from being effective.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 11. Assessing Email Services

Create new playlist

Sign In

Sign Up