Computer Security and Penetration Testing
Chapter 14Mail Vulnerabilities
Computer Security and Penetration Testing 2
Objectives
• Define SMTP vulnerabilities
• Outline IMAP vulnerabilities
• Explain POP vulnerabilities
• Identify some specific server application vulnerabilities
Computer Security and Penetration Testing 3
Objectives (continued)
• Lists types of e-mail-related attacks
• Identify some specific browser-based vulnerabilities
• Discuss protection measures
Computer Security and Penetration Testing 4
Major Mail Protocols
• Main protocols supporting e-mail systems– SMTP– IMAP– POP
Computer Security and Penetration Testing 5
Simple Mail Transfer Protocol (SMTP)
• Simple Mail Transfer Protocol (SMTP)– Transfers e-mail messages from one server to
another or from a client computer to a server
• An e-mail client using either Post Office Protocol (POP) or IMAP can recover the messages
• SMTP uses the concept of spooling– SMTP stores the e-mail message in a buffer called
the SMTP queue
Computer Security and Penetration Testing 6
Computer Security and Penetration Testing 7
Simple Mail Transfer Protocol (SMTP) (continued)
• If the intended recipient of the e-mail message is unavailable– Server attempts to send the message later
• End-to-end delivery– Holding all messages in the spool until they can be
delivered
Computer Security and Penetration Testing 8
Simple Mail Transfer Protocol (SMTP) (continued)
• The SMTP Model– To deliver an e-mail message
• Client computer must establish a TCP connection with port 25 of the destination computer
– If the destination computer is unavailable• Server sends a single-line text message to the client
computer
– If the server accepts the message from the client • It will send details about the sender and the receiver of
the e-mail message
Computer Security and Penetration Testing 9
Simple Mail Transfer Protocol (SMTP) (continued)
• The SMTP Model (continued)– If recipient exists at any of the destination mailboxes
• Server will copy the e-mail messages into the appropriate mailboxes
– If an e-mail message cannot be delivered• An error report is returned to the client computer
– If more e-mail messages have to be sent• Client computer continues with the connection to the
server
Computer Security and Penetration Testing 10
Simple Mail Transfer Protocol (SMTP) (continued)
• The SMTP Model (continued)– SMTP Commands
• HELO or EHLO
• RCPT
• DATA
• RSET
• VRFY
• EXPN
• QUIT
Computer Security and Penetration Testing 11
Simple Mail Transfer Protocol (SMTP) (continued)
• SMTP Vulnerabilities– Hackers scan the Internet for any incorrectly
configured SMTP servers– Hackers can exploit the server in two ways:
• The attacker can send mail anonymously
• Hackers can also send the SMTP server a single e-mail with the intention of reaching hundreds, thousands, or even millions of users
– Hackers can use several commands to exploit SMTP servers
Computer Security and Penetration Testing 12
Simple Mail Transfer Protocol (SMTP) (continued)
• SMTP Vulnerabilities (continued)– Buffer overflows
• Hackers may try to overflow the buffer of the user’s system
• A very long username, password, or file name is sent to the server
– Using the HELO, MAIL or RCPT commands
– Backdoor entry• Permits hackers to take complete control of a mail
system
• Wiz commands can open a back door
Computer Security and Penetration Testing 13
Simple Mail Transfer Protocol (SMTP) (continued)
• SMTP Vulnerabilities (continued)– Scanning e-mail servers
• EXPN and VRFY may allow attackers to acquire information from an e-mail server
– Spamming e-mail servers• Attacker sends a single e-mail message to a large
number of recipients
• Hacker attempts to attack a mail server by sending large numbers of RCPT commands to it
Computer Security and Penetration Testing 14
Simple Mail Transfer Protocol (SMTP) (continued)
• SMTP Vulnerabilities (continued)– Spamming e-mail servers (continued)
• May result in any of the following attacks
– Denial-of-service (DoS) attack
– User-account attack
– Spam-relay attack
– Sending corrupt MAIL commands
– Manipulating commands such as EXPN or VRFY
– Third-party mail relay
• Most corporate mail servers do not allow third-party mail relaying
Computer Security and Penetration Testing 15
Internet Message Access Protocol (IMAP)
• Internet Message Access Protocol (IMAP)– E-mail client protocol which can be used to retrieve e-
mail messages from a mail server
• Role of IMAP– The functions of IMAP include:
• Allowing users to read, edit, reply to, forward, create, and move e-mail messages
• Creating, deleting, and renaming mailboxes
• Checking for new e-mail messages
• Deleting e-mail messages
Computer Security and Penetration Testing 16
Internet Message Access Protocol (IMAP) (continued)
• Role of IMAP (continued)– To provide security to users, IMAP is designed to:
• Be compatible with Internet messaging standards
• Enable message access and management from more than one computer
• Permit access without depending on less efficient file access protocols
• Support concurrent access to all shared mailboxes
Computer Security and Penetration Testing 17
Internet Message Access Protocol (IMAP) (continued)
• IMAP Vulnerabilities– IMAP is susceptible to buffer overflow conditions– IMAP supports various authentication mechanisms,
including CRAM-MD5– A logic flaw in CRAM-MD5 allows a remote attacker
• To gain unauthorized access to another user’s e-mail
– Hackers are able to obtain super-user access to the mail server because the server process runs as root
– Firewalls or filtering routers could protect the server from attacks
Computer Security and Penetration Testing 18
Server Application Vulnerabilities
• Some exploits are associated with specific mail-server applications
Computer Security and Penetration Testing 19
Microsoft Exchange Server
• Affect various versions of– Microsoft Exchange Server– Windows 2000 Advanced Server– Windows 2000 Datacenter Server
Computer Security and Penetration Testing 20
Microsoft Exchange Server (continued)
• Vulnerabilities– Microsoft Exchange Server Outlook Web Access
Script Injection Vulnerability, 2006– Microsoft Exchange Server Calendar Remote Code
Execution Vulnerability, 2006– Microsoft Exchange Server 2003 Exchange
Information Store Denial of Service Vulnerability, 2005
– Microsoft Exchange Server 2003 Outlook Web Access Random Mailbox Access Vulnerability, 2004
Computer Security and Penetration Testing 21
IBM Lotus Domino Notes
• Vulnerabilities– IBM Lotus Domino Multiple TuneKrnl Local Privilege
Escalation Vulnerabilities, 2006– iDefense Security Advisory 11.08.06: IBM Lotus
Domino 7, 2006– IBM Lotus Domino Web Access Session Hijacking
Vulnerability (Vulnerabilities), 2006– Session Token Remains Valid After Logout in IBM
Lotus Domino Web Access, 2006
Computer Security and Penetration Testing 22
E-mail Attacks
• E-mail attacks include:– List linking– E-mail bombing– Spamming– Sniffing and spoofing– E-mail attachments– 419s– Scams– Phishing
Computer Security and Penetration Testing 23
List Linking
• Similar to e-mail bombing
• Involves enrolling potentially hundreds of target users– Through e-mail lists and distributed e-mail message
systems
• Theory behind this voluntary mail-flooding– Subjects of the messages are interesting to the
member
Computer Security and Penetration Testing 24
List Linking (continued)
Computer Security and Penetration Testing 25
Computer Security and Penetration Testing 26
E-mail Bombing
• Sending an identical e-mail repeatedly to the target user
• May exceed the storage or bandwidth of some e-mail accounts
• Mail Bomber– An e-mail bombing utility that was distributed in a file
called bomb02.zip– Certain e-mail bombing utilities are used on any
system that supports SMTP servers• Other utilities are specialized
Computer Security and Penetration Testing 27
E-mail Spamming
• Many people use the term spam to mean any e-mail they don’t like or did not request
• Spam is commercial or nuisance e-mail with no effective opt-out system
• E-mail spamming is nearly impossible to prevent – Because all users have their own definition of what
constitutes spam
• Spamming can be considered a security hazard– Especially if spammers use corporate e-mail servers
relay their messages
Computer Security and Penetration Testing 28
E-mail Sniffing and Spoofing
• Packet sniffers are able to collect all of the unencrypted data traveling on a network– All POP3 e-mail requests will show the attacker the
username and password in plain text
• E-mail spoofing is a way of tampering with e-mail– So that the message received appears to be from a
known and trusted person• When it is actually sent by an impostor
• The person being imitated is unaware
Computer Security and Penetration Testing 29
E-mail Attachments
• Attachments to e-mail can contain worms and viruses
• Worms can self-mail themselves to all the email addresses in your address book
• E-mails to which worms attach themselves are often extremely poorly written
• If the victim opens the e-mail, the worm spreads
Computer Security and Penetration Testing 30
419s, Scams, and Phishing
• 419 or Advanced Fee Fraud– Named after the relevant section of the Criminal Code
of Nigeria referring to “Advance Fee Fraud”– Occurs when the victim pays money to someone in
anticipation of receiving something of greater value
• Other Scams– Bad-check scams
• Victim is asked to agree to receive money for an offshore company who cannot get it otherwise
• The victim is offered 10% of the money
Computer Security and Penetration Testing 31
419s, Scams, and Phishing (continued)
• Phishing– Uses e-mails from a purported financial institution
(often eBay or Paypal)• Stating that there is something wrong with an account,
and the account holder needs to log in to set it straight
– They provide the account holder with a link to a site that looks almost identical to the real company site
– When the account holder logs in, the scammers capture the username and password
Computer Security and Penetration Testing 32
Browser-Based Vulnerabilities
• Browsers are applications written in some programming language by human beings
• All browsers have bugs, coding errors, and vulnerabilities
Computer Security and Penetration Testing 33
Protection
• A few fairly effective countermeasures to threats and annoyances
• Could be called personal and corporate measures
Computer Security and Penetration Testing 34
Personal E-mail Security Countermeasures
• Segmenting E-mail– Get two or more e-mail accounts and use them for
specific purposes
• Filter Mail at the Client Level– All e-mail clients give users the tools to filter e-mails– Filter for whitelist rather than for blacklist terms– Whitelisting gives few false positives– Blacklisting is often handled by the ISP and they
typically place the suspected spam in the Bulk folder
Computer Security and Penetration Testing 35
Personal E-mail Security Countermeasures (continued)
• Due Diligence– Using the same amount of effort that a reasonably
educated person would use– Users should have antivirus software if there is any
reason to suspect vulnerability to viruses or worms
• Digital Signature and Certificates– A digital signature or certificate is a file that validates
who a user is– Digital signatures are used to confirm the user’s
identity to any third party concerned
Computer Security and Penetration Testing 36
Personal E-mail Security Countermeasures (continued)
• Digital Signature and Certificates (continued)– A digital certificate is issued by a third-party
Certificate Authority (CA)– Digital certificate includes information about the
sender credited with signing the message
Computer Security and Penetration Testing 37
Corporate E-mail Security Countermeasures
• E-mail Security Policies– Policy should inform the entire organization of
acceptable e-mail and messaging– Policy will also contain policies for infractions of the
messaging protocols
• Provide Security Software– Implement antivirus software on all machines
• In case server-based solutions miss something
– Consider software firewalls and centralized patch management
Computer Security and Penetration Testing 38
Corporate E-mail Security Countermeasures (continued)
• Antispam Tools– Either hardware or software options– All antispam tools are reactive and most are based on
filtering algorithms– Tools reduce storage requirements for regulatory
purposes• And reduce time spent by employees in reading,
analyzing, and processing obviously unwanted mail
– Advanced antispam tools include content-checking of incoming and outgoing e-mail
Computer Security and Penetration Testing 39
Corporate E-mail Security Countermeasures (continued)
• Content-Checking– Can be installed on the e-mail system to monitor
whether users are giving away trade secrets• Or to check for offensive or inappropriate content
– An authorized censor within the organization must approve any suspicious messages
• Disclaimers– Attached to each company e-mail– Considered an effective way of controlling employees’
propensity to send sensitive information
Computer Security and Penetration Testing 40
Corporate E-mail Security Countermeasures (continued)
• Encryption– Encryption techniques such as PGP
• Make gleaning useful information from packet-sniffing rather challenging
• Virus Scanners– Checks all incoming and outgoing e-mail messages
and attachments for e-mail viruses and worms– Server-based virus solutions cut the time users spend
dealing with possible virus-laden e-mails
• Use multilayered defenses, not just one solution
Computer Security and Penetration Testing 41
Summary
• Mail system vulnerabilities are dependent on the major mail protocols, server software, tendencies of users and attackers, and vulnerabilities in specific browser code
• The major mail protocols are SMTP, IMAP, and POP
• Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail messages
• Most SMTP vulnerabilities occur because the SMTP server is not correctly configured
• Some standard SMTP commands can be used by attackers
Computer Security and Penetration Testing 42
Summary (continued)
• Internet Message Access Protocol (IMAP) is an e-mail client protocol that retrieves e-mail messages from a mail server
• Older versions of IMAP and POP are susceptible to buffer overflow conditions
• Post Office Protocol (POP) delivers mail to users, downloaded to their local devices
• E-mail clients are vulnerable to over-sized messages
• All mail-server applications are vulnerable to exploit
Computer Security and Penetration Testing 43
Summary (continued)
• E-mail attacks include list linking, e-mail bombing, spamming, sniffing and spoofing, attachments, 419s, scams, and phishing
• All e-mail browsers have their share of bugs, coding errors, and other vulnerabilities
• Personal e-mail security measures: segmenting mail, filtering mail, and using due diligence
• Corporate e-mail security measures: implementing an e-mail security policy and providing security software and virus scanners