Autonomic Network Defense - SMTP

Overview

The delivery of electronic mail using the Simple Mail Transfer Protocol (SMTP) involves the regular exchange of e-mail messages between SMTP servers. SMTP servers are responsible for sending e-mail that users of the server submit for delivery. They also receive e-mail either intended for local recipients, or in some cases for forwarding or relaying to other servers.

An SMTP session begins with the SMTP sender establishing a TCP connection to the SMTP receiver. The receiver sends a ready message (220); the sender sends a HELO or EHLO command, to which the receiver responds. If the receiver is not ready it can send a 554 code message, However the sender doesn’t close the connection until it receives a QUIT from the receiver. In the mean time if any other commands are given then the receiver sends a “503 bad sequence of commands” message. Assuming no difficulties, the session is established and mail transactions take place. When the sender is done, it sends a QUIT command; the receiver responds with a 221 reply and closes the session.

SMTP used by itself is a fairly benign protocol, containing only eight basic commands. These are HELO, MAIL, RCPT, DATA, QUIT, VRFY, NOOP, and TURN. There are two security threats associated with these commands; Denial-of-Service Information gathering

Denial of Service:

Denial-of-service attacks based on SMTP are aimed at flooding a network or computer with large email messages to prevent normal use and to cause a delay in mail delivery or even sometimes shutdown the server. In most cases a computer is affected because it cannot handle large messages e.g. > 1 Megabyte, or cannot handle the load created by receiving large numbers of messages at the same time, or running out of storage space.

i) Buffer Overflow: Vulnerability has been reported in the Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the SMTP component when handling DNS responses. This can be exploited to cause a buffer overflow by passing a specially crafted DNS response. Successful exploitation allows execution of arbitrary code.

Example: i) SMTP connections should not have binary data, as binary attachments are converted to base64 or similar representations. This can indicate a buffer overflow or tunneling attempt.

ii) Invalid client-server-client sequence of SMTP commands, which normally is not issued by an SMTP client or server. Detecting this sequence can indicate an attacker is manually trying to exploit your SMTP server.

iii) A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting to them malformed SMTP data. The overflow condition occurs when Sendmail processes incoming e-mail messages containing malformed address parameters in a field such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition. Successful attackers may exploit this vulnerability to gain root privileges on affected servers remotely. An exploit for this vulnerability is currently circulating on the internet.

Information Gathering:

The second more subtle attack involves information gathering designed to provide the hacker with useful information about a computer system and its users. For instance the VRFY command sometimes translates a users mail alias into their login name.

Example

i) SMTP (Simple Mail Transfer Protocol) is a text-based protocol used for e-mail transmission. SMTP uses TCP port 25, by default. EXPN is one of the SMTP commands. It is used to identify a mailing list on a remote SMTP server. The command returns the full names of all the users on the mailing list. While the command is useful for debugging purposes, it discloses too much information about user accounts, and could be exploited by remote attackers for future attacks. Most standard SMTP servers and clients disable or do not support this command. Receiving a SMTP EXPN command could indicate a non-standard SMTP implementation, a configuration error or that an attacker is attempting to gather information about a server to plan an attack.

ii) Banner Capture A connection to an SMTP server followed immediately by a "QUIT" or "BYE" command. Such connections are typically used to determine the hostname, operating system, mail server software, and mail server version of the target. Such information can be used later in more targeted attacks. This reconnaissance technique is known as a "Banner Capture" since it copies the initial server reply banner, which typically provides significant information on the server.

Most problems arise when SMTP is implemented as a large application. The threat comes from bugs, which inherently manifest themselves within large programs, and configuration problems such as giving the application higher privilege. These problems enabled one of the most famous Internet security incidents — the Internet Worm to take place. Other problems also exist with email attachments, and automated execution of messages such as Multipurpose Internet Mail Extensions (MIME). MIME allows specific actions to be encoded in email messages. These actions can request files to be automatically retrieved and returned to the message initiator. MIME can also be used to transfer executable programs and Postscript files, which can perform dangerous actions.

top 

People


Youssif Al-Nashif
email:
website: http://www.ece.arizona.edu/~alnashif

Research Areas and Interests: Network Security, Autonomic Computing & Management, Autonomic Faults Managements, Data Mining, AI, Distributed Computing, High Performance Computing, Grid Computing, Scientific Visualization Simulation and modeling.


Mohamed Tabris
email:
website: http://ece.arizona.edu/~mdtabris

Research Areas and Interests: Autonomic Network Anomaly Detection, Anomaly Detection in Mail System

top 

Publications

 

top 


Sponsors






 

 

 
Phone Number: (520) 621-9915 Room 251, ECE Dept. 1230 E. Speedway Tucson, AZ 85721-0104
ACL - © Copyright 2007, Webmaster: Youssif Al-Nashif
All Rights Reserved