Back in the good old days just about every mail server was running Sendmail.
And Sendmail was littered with security holes. Nowadays Sendmailis pretty
safe (yet a lot of people still have bad memories of it, and as such refuse
to use it). The other common MTS is Microsoft Exchange. Other UNIX mail
servers include qmail and smail. What vulnerabilities exist in SMTP
gateways? If we assume that you are dealing with a rather new version of
Sendmailit seems like SMTP is pretty safe (in terms of getting control over
a server). Mailbombing...sure, getting root when one already have a shell - sure. But remotely - I don't think so. Would anyone find a nasty buffer
overflow in MS Exchangeit would probably be the next big thing. Anyone?
In terms of intelligence gathering SMTP can provide you with some
interesting stuff - EXPNand VRFYhave been discussed in depth in the
examples - lets not go there again. Mail spamming - well its not really
hacking now is it?
SMTP can also be used to discover the soft insides of networks by sending a
"bounce" message. Such a message is a message that is addressed to a user
that does not exists. The mail will travel all the way to the most internal
mail server who will then reply to you stating that the user is not known.
By looking at the returned mail's STMP header would you gain some useful
information about the mail path, and thus the internal network. Let us look
at an example. We want to see the SMTP path of the domain nedcor.co.za. We
send email to klasiedewaal@nedcor.co.za (we suspect there wont be such a
user at the domain), with body text: "Hi bud - got your email address form
Amy - if you receive this in good order, write back to me. Your friend,
Roelof". Obviously the idea is not the make the "bounce" message look
suspect. Now, let us look at the listed MX records for the domain:
/# host -t mx nedcor.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-1.hosting.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-2.hosting.co.za
nedcor.co.za mail is handled (pri=50) by prometheus.nedcor.co.za
The SMTP returned mail header looks like this:
Received: from prometheus_old.nedcor.co.za ([196.36.217.137])
by wips.sensepost.com (8.9.3/8.9.3) with SMTP id WAA18570
for <roelof@sensepost.com>; Sun, 10 Sep 2000 22:48:29 +0200 (SAST)
(envelope-from )
Received: FROM ARES.it.nednet.co.za BY prometheus_old.nedcor.co.za ; Sun
Sep 10 22:43:09 2000 +0200
Received: by ares.it.nednet.co.za with Internet Mail Service (5.5.2650.21)
id <S3GQJZHZ>; Sun, 10 Sep 2000 22:43:19 +0200
Message-ID: <35D6C187048AD311882F00805FD7EDE402F57314@ares.it.nednet.co.za>
We learn from this header that mail "terminates" at ares.it.nednet.co.za.
From there it hops to prometheus_old.nedcor.co.za. This is interesting as
both these machines are not resolvable from the Internet, and should
therefore be considered as "internal".
And Sendmail was littered with security holes. Nowadays Sendmailis pretty
safe (yet a lot of people still have bad memories of it, and as such refuse
to use it). The other common MTS is Microsoft Exchange. Other UNIX mail
servers include qmail and smail. What vulnerabilities exist in SMTP
gateways? If we assume that you are dealing with a rather new version of
Sendmailit seems like SMTP is pretty safe (in terms of getting control over
a server). Mailbombing...sure, getting root when one already have a shell - sure. But remotely - I don't think so. Would anyone find a nasty buffer
overflow in MS Exchangeit would probably be the next big thing. Anyone?
In terms of intelligence gathering SMTP can provide you with some
interesting stuff - EXPNand VRFYhave been discussed in depth in the
examples - lets not go there again. Mail spamming - well its not really
hacking now is it?
SMTP can also be used to discover the soft insides of networks by sending a
"bounce" message. Such a message is a message that is addressed to a user
that does not exists. The mail will travel all the way to the most internal
mail server who will then reply to you stating that the user is not known.
By looking at the returned mail's STMP header would you gain some useful
information about the mail path, and thus the internal network. Let us look
at an example. We want to see the SMTP path of the domain nedcor.co.za. We
send email to klasiedewaal@nedcor.co.za (we suspect there wont be such a
user at the domain), with body text: "Hi bud - got your email address form
Amy - if you receive this in good order, write back to me. Your friend,
Roelof". Obviously the idea is not the make the "bounce" message look
suspect. Now, let us look at the listed MX records for the domain:
/# host -t mx nedcor.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-1.hosting.co.za
nedcor.co.za mail is handled (pri=10) by mailmarshall-2.hosting.co.za
nedcor.co.za mail is handled (pri=50) by prometheus.nedcor.co.za
The SMTP returned mail header looks like this:
Received: from prometheus_old.nedcor.co.za ([196.36.217.137])
by wips.sensepost.com (8.9.3/8.9.3) with SMTP id WAA18570
for <roelof@sensepost.com>; Sun, 10 Sep 2000 22:48:29 +0200 (SAST)
(envelope-from )
Received: FROM ARES.it.nednet.co.za BY prometheus_old.nedcor.co.za ; Sun
Sep 10 22:43:09 2000 +0200
Received: by ares.it.nednet.co.za with Internet Mail Service (5.5.2650.21)
id <S3GQJZHZ>; Sun, 10 Sep 2000 22:43:19 +0200
Message-ID: <35D6C187048AD311882F00805FD7EDE402F57314@ares.it.nednet.co.za>
We learn from this header that mail "terminates" at ares.it.nednet.co.za.
From there it hops to prometheus_old.nedcor.co.za. This is interesting as
both these machines are not resolvable from the Internet, and should
therefore be considered as "internal".
No comments:
Post a Comment