computer security and penetration testing chapter 14 mail vulnerabilities

Computer Security and Penetration Testing

Chapter 14Mail Vulnerabilities

Computer Security and Penetration Testing 2

Objectives

• Define SMTP vulnerabilities

• Outline IMAP vulnerabilities

• Explain POP vulnerabilities

• Identify some specific server application vulnerabilities


Objectives (continued)

• Lists types of e-mail-related attacks

• Identify some specific browser-based vulnerabilities

• Discuss protection measures


Major Mail Protocols

• Main protocols supporting e-mail systems– SMTP– IMAP– POP


Simple Mail Transfer Protocol (SMTP)

• Simple Mail Transfer Protocol (SMTP)– Transfers e-mail messages from one server to

another or from a client computer to a server

• An e-mail client using either Post Office Protocol (POP) or IMAP can recover the messages

• SMTP uses the concept of spooling– SMTP stores the e-mail message in a buffer called

the SMTP queue


Simple Mail Transfer Protocol (SMTP) (continued)

• If the intended recipient of the e-mail message is unavailable– Server attempts to send the message later

• End-to-end delivery– Holding all messages in the spool until they can be

delivered



• The SMTP Model– To deliver an e-mail message

• Client computer must establish a TCP connection with port 25 of the destination computer

– If the destination computer is unavailable• Server sends a single-line text message to the client

computer

– If the server accepts the message from the client • It will send details about the sender and the receiver of

the e-mail message



• The SMTP Model (continued)– If recipient exists at any of the destination mailboxes

• Server will copy the e-mail messages into the appropriate mailboxes

– If an e-mail message cannot be delivered• An error report is returned to the client computer

– If more e-mail messages have to be sent• Client computer continues with the connection to the

server



• The SMTP Model (continued)– SMTP Commands

• HELO or EHLO

• MAIL

• RCPT

• DATA

• RSET

• VRFY

• EXPN

• QUIT



• SMTP Vulnerabilities– Hackers scan the Internet for any incorrectly

configured SMTP servers– Hackers can exploit the server in two ways:

• The attacker can send mail anonymously

• Hackers can also send the SMTP server a single e-mail with the intention of reaching hundreds, thousands, or even millions of users

– Hackers can use several commands to exploit SMTP servers



• SMTP Vulnerabilities (continued)– Buffer overflows

• Hackers may try to overflow the buffer of the user’s system

• A very long username, password, or file name is sent to the server

– Using the HELO, MAIL or RCPT commands

– Backdoor entry• Permits hackers to take complete control of a mail

system

• Wiz commands can open a back door



• SMTP Vulnerabilities (continued)– Scanning e-mail servers

• EXPN and VRFY may allow attackers to acquire information from an e-mail server

– Spamming e-mail servers• Attacker sends a single e-mail message to a large

number of recipients

• Hacker attempts to attack a mail server by sending large numbers of RCPT commands to it



• SMTP Vulnerabilities (continued)– Spamming e-mail servers (continued)

• May result in any of the following attacks

– Denial-of-service (DoS) attack

– User-account attack

– Spam-relay attack

– Sending corrupt MAIL commands

– Manipulating commands such as EXPN or VRFY

– Third-party mail relay

• Most corporate mail servers do not allow third-party mail relaying


Internet Message Access Protocol (IMAP)

• Internet Message Access Protocol (IMAP)– E-mail client protocol which can be used to retrieve e-

mail messages from a mail server

• Role of IMAP– The functions of IMAP include:

• Allowing users to read, edit, reply to, forward, create, and move e-mail messages

• Creating, deleting, and renaming mailboxes

• Checking for new e-mail messages

• Deleting e-mail messages


Internet Message Access Protocol (IMAP) (continued)

• Role of IMAP (continued)– To provide security to users, IMAP is designed to:

• Be compatible with Internet messaging standards

• Enable message access and management from more than one computer

• Permit access without depending on less efficient file access protocols

• Support concurrent access to all shared mailboxes


Internet Message Access Protocol (IMAP) (continued)

• IMAP Vulnerabilities– IMAP is susceptible to buffer overflow conditions– IMAP supports various authentication mechanisms,

including CRAM-MD5– A logic flaw in CRAM-MD5 allows a remote attacker

• To gain unauthorized access to another user’s e-mail

– Hackers are able to obtain super-user access to the mail server because the server process runs as root

– Firewalls or filtering routers could protect the server from attacks


Server Application Vulnerabilities

• Some exploits are associated with specific mail-server applications


Microsoft Exchange Server

• Affect various versions of– Microsoft Exchange Server– Windows 2000 Advanced Server– Windows 2000 Datacenter Server


Microsoft Exchange Server (continued)

• Vulnerabilities– Microsoft Exchange Server Outlook Web Access

Script Injection Vulnerability, 2006– Microsoft Exchange Server Calendar Remote Code

Execution Vulnerability, 2006– Microsoft Exchange Server 2003 Exchange

Information Store Denial of Service Vulnerability, 2005

– Microsoft Exchange Server 2003 Outlook Web Access Random Mailbox Access Vulnerability, 2004


IBM Lotus Domino Notes

• Vulnerabilities– IBM Lotus Domino Multiple TuneKrnl Local Privilege

Escalation Vulnerabilities, 2006– iDefense Security Advisory 11.08.06: IBM Lotus

Domino 7, 2006– IBM Lotus Domino Web Access Session Hijacking

Vulnerability (Vulnerabilities), 2006– Session Token Remains Valid After Logout in IBM

Lotus Domino Web Access, 2006


E-mail Attacks

• E-mail attacks include:– List linking– E-mail bombing– Spamming– Sniffing and spoofing– E-mail attachments– 419s– Scams– Phishing


List Linking

• Similar to e-mail bombing

• Involves enrolling potentially hundreds of target users– Through e-mail lists and distributed e-mail message

systems

• Theory behind this voluntary mail-flooding– Subjects of the messages are interesting to the

member


List Linking (continued)


E-mail Bombing

• Sending an identical e-mail repeatedly to the target user

• May exceed the storage or bandwidth of some e-mail accounts

• Mail Bomber– An e-mail bombing utility that was distributed in a file

called bomb02.zip– Certain e-mail bombing utilities are used on any

system that supports SMTP servers• Other utilities are specialized


E-mail Spamming

• Many people use the term spam to mean any e-mail they don’t like or did not request

• Spam is commercial or nuisance e-mail with no effective opt-out system

• E-mail spamming is nearly impossible to prevent – Because all users have their own definition of what

constitutes spam

• Spamming can be considered a security hazard– Especially if spammers use corporate e-mail servers

relay their messages


E-mail Sniffing and Spoofing

• Packet sniffers are able to collect all of the unencrypted data traveling on a network– All POP3 e-mail requests will show the attacker the

username and password in plain text

• E-mail spoofing is a way of tampering with e-mail– So that the message received appears to be from a

known and trusted person• When it is actually sent by an impostor

• The person being imitated is unaware


E-mail Attachments

• Attachments to e-mail can contain worms and viruses

• Worms can self-mail themselves to all the email addresses in your address book

• E-mails to which worms attach themselves are often extremely poorly written

• If the victim opens the e-mail, the worm spreads


419s, Scams, and Phishing

• 419 or Advanced Fee Fraud– Named after the relevant section of the Criminal Code

of Nigeria referring to “Advance Fee Fraud”– Occurs when the victim pays money to someone in

anticipation of receiving something of greater value

• Other Scams– Bad-check scams

• Victim is asked to agree to receive money for an offshore company who cannot get it otherwise

• The victim is offered 10% of the money


419s, Scams, and Phishing (continued)

• Phishing– Uses e-mails from a purported financial institution

(often eBay or Paypal)• Stating that there is something wrong with an account,

and the account holder needs to log in to set it straight

– They provide the account holder with a link to a site that looks almost identical to the real company site

– When the account holder logs in, the scammers capture the username and password


Browser-Based Vulnerabilities

• Browsers are applications written in some programming language by human beings

• All browsers have bugs, coding errors, and vulnerabilities


Protection

• A few fairly effective countermeasures to threats and annoyances

• Could be called personal and corporate measures


Personal E-mail Security Countermeasures

• Segmenting E-mail– Get two or more e-mail accounts and use them for

specific purposes

• Filter Mail at the Client Level– All e-mail clients give users the tools to filter e-mails– Filter for whitelist rather than for blacklist terms– Whitelisting gives few false positives– Blacklisting is often handled by the ISP and they

typically place the suspected spam in the Bulk folder


Personal E-mail Security Countermeasures (continued)

• Due Diligence– Using the same amount of effort that a reasonably

educated person would use– Users should have antivirus software if there is any

reason to suspect vulnerability to viruses or worms

• Digital Signature and Certificates– A digital signature or certificate is a file that validates

who a user is– Digital signatures are used to confirm the user’s

identity to any third party concerned


Personal E-mail Security Countermeasures (continued)

• Digital Signature and Certificates (continued)– A digital certificate is issued by a third-party

Certificate Authority (CA)– Digital certificate includes information about the

sender credited with signing the message


Corporate E-mail Security Countermeasures

• E-mail Security Policies– Policy should inform the entire organization of

acceptable e-mail and messaging– Policy will also contain policies for infractions of the

messaging protocols

• Provide Security Software– Implement antivirus software on all machines

• In case server-based solutions miss something

– Consider software firewalls and centralized patch management


Corporate E-mail Security Countermeasures (continued)

• Antispam Tools– Either hardware or software options– All antispam tools are reactive and most are based on

filtering algorithms– Tools reduce storage requirements for regulatory

purposes• And reduce time spent by employees in reading,

analyzing, and processing obviously unwanted mail

– Advanced antispam tools include content-checking of incoming and outgoing e-mail



• Content-Checking– Can be installed on the e-mail system to monitor

whether users are giving away trade secrets• Or to check for offensive or inappropriate content

– An authorized censor within the organization must approve any suspicious messages

• Disclaimers– Attached to each company e-mail– Considered an effective way of controlling employees’

propensity to send sensitive information



• Encryption– Encryption techniques such as PGP

• Make gleaning useful information from packet-sniffing rather challenging

• Virus Scanners– Checks all incoming and outgoing e-mail messages

and attachments for e-mail viruses and worms– Server-based virus solutions cut the time users spend

dealing with possible virus-laden e-mails

• Use multilayered defenses, not just one solution


Summary

• Mail system vulnerabilities are dependent on the major mail protocols, server software, tendencies of users and attackers, and vulnerabilities in specific browser code

• The major mail protocols are SMTP, IMAP, and POP

• Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail messages

• Most SMTP vulnerabilities occur because the SMTP server is not correctly configured

• Some standard SMTP commands can be used by attackers


Summary (continued)

• Internet Message Access Protocol (IMAP) is an e-mail client protocol that retrieves e-mail messages from a mail server

• Older versions of IMAP and POP are susceptible to buffer overflow conditions

• Post Office Protocol (POP) delivers mail to users, downloaded to their local devices

• E-mail clients are vulnerable to over-sized messages

• All mail-server applications are vulnerable to exploit


Summary (continued)

• E-mail attacks include list linking, e-mail bombing, spamming, sniffing and spoofing, attachments, 419s, scams, and phishing

• All e-mail browsers have their share of bugs, coding errors, and other vulnerabilities

• Personal e-mail security measures: segmenting mail, filtering mail, and using due diligence

• Corporate e-mail security measures: implementing an e-mail security policy and providing security software and virus scanners

computer security and penetration testing chapter 14 mail vulnerabilities

Documents

computer security

messages smtp

smtp vulnerabilities

server slide

smtp queue slide

email message client

mail vulnerabilities

email message slide