Sonicwall Signatures

Category: SMTP

SMTP Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent SMTP-related intrusions. SMTP or Simple Mail Transfer Protocol is the dominant text-based protocol used to transfer mail over the internet. However, because it is the de facto standard that defines how Mail Transfer Agents (MTAs) "speak" to one another when sending mail, SMTP is widely used by attackers to compromise mail servers. Using malformed SMTP requests, attackers can exploit vulnerabilities in MTAs, causing them to malfunction, and allowing the attackers to execute arbitrary commands on these servers, corrupt or steal sensitive information, or cause the server to crash, shutting down all e-mail communication through that server. The attacks are generally specific to the MTA that is running on the server.

The most commonly used MTA is Sendmail, and so a majority of SMTP attacks target this application. Sendmail is the stantard MTA for UNIX derivative operating systems. Attackers targeting Sendmail can use one of several techniques including:

• Bounce to Program Attacks: Sendmail treats messages it recieves as data, but in certain instances, attackers can convince send mail to see those messages as code, and make the server run arbitrary commands. Attackers can use two methods to do this. One way is to send mail directly to the "decode" alias on a server, an alias that the server uses as a proxy to pipe uuencoded messages to a decode program. By sending the message straight to the decode alias, attackers can cause the decode program to malfunction, and execute code contained in the message. The second method allows the server to do the rerouting itself. By specifying invalid "mail from" and "rcpt to" fields, the attacker could trick Sendmail into routing the e-mail to a program and running commands, allowing the message to act as input. In both of these cases, attackers can run arbitrary code on a machine, overwrite sensitive files, or make the server crash causing a denial of service for mail clients.

• Ident Attacks: Later Sendmail versions support the ident protocol which attempts to better identify the sender of an e-mail message by "calling back" to the system that sent it. The server asks the originating system for the name of the owner of the established connection, then waits to see if the originating system has any queries. Attackers can take advantage of this connection and send malformed queries back to the server, possibly enabling them to take control of the machine.

• Buffer Overflow Attacks: Attackers could cause a buffer overflow by inserting specially crafted input into some fields of a message. Although uncommon, these attacks are also dangerous, allowing attackers to take control of a server.

Sendmail attacks were made all the more damaging, up to the latest version, because it was run by default with root privileges, allowing attackers who compromised the MTA to take full control of the server.

These vulnerabilites, however, are not confined to Sendmail: MTAs that implement SMTP including CSM Mail Server, Microsoft Exchange Server, and NetWin DSMTP server all have similar buffer overflow and request mishandling vulnerabilities.

SonicWALL SMTP signatures are classified from low- to high-priority, and when enabled for prevention, can keep suspicious SMTP requests from reaching a mail server in the first place. Still, it is still important to note that security patches and updated versions for the above software are available from their vendors which close up vulnerabilites to SMTP attacks. SonicWALL signatures should be used in conjunction with, rather than as a replacement for, such critical sotware updates.