Redirecting and modifying SMTP mail with TLS session renegotiation attacks



Similar documents
CipherMail Gateway Quick Setup Guide

, SNMP, Securing the Web: SSL

TLS / SSLv3 renegotiation vulnerability explained

Chapter 17. Transport-Level Security

Appendix. Web Command Error Codes. Web Command Error Codes

1. The Web: HTTP; file transfer: FTP; remote login: Telnet; Network News: NNTP; SMTP.

Cork Institute of Technology Master of Science in Computing in Education National Framework of Qualifications Level 9

Lab 7: Introduction to Pen Testing (NMAP)

Cisco Secure PIX Firewall with Two Routers Configuration Example

Introduction to Computer Networks

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

JAVAMAIL API - SMTP SERVERS

smtplib SMTP protocol client

Intro to Firewalls. Summary

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

Web Security Considerations

Bit Chat: A Peer-to-Peer Instant Messenger

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Simple Mail Transfer Protocol

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

SSL A discussion of the Secure Socket Layer

The Secure Sockets Layer (SSL)

Introduction. -- some basic concepts and terminology -- examples for attacks on protocols -- main network security services

1 Introduction: Network Applications

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Linux Network Security

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Internet Control Protocols Reading: Chapter 3

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Books and Beyond. Erhan J Kartaltepe, Paul Parker, and Shouhuai Xu Department of Computer Science University of Texas at San Antonio

My FreeScan Vulnerabilities Report

Transport Layer Protocols

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Proxies. Chapter 4. Network & Security Gildas Avoine

Chakchai So-In, Ph.D.

SMTP Servers. Determine if an message should be sent to another machine and automatically send it to that machine using SMTP.

General Network Security

Protocol Rollback and Network Security

Configuring SSL Termination

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Applications and Services. DNS (Domain Name System)

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Remote login (Telnet):

The Transport Layer. Antonio Carzaniga. October 24, Faculty of Informatics University of Lugano Antonio Carzaniga

Configuring Security for SMTP Traffic

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Network Security Fundamentals

CS5008: Internet Computing

Secure Sockets Layer

Protocols and Architecture. Protocol Architecture.

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Math SMTP Server Configuration

Topics in Network Security

- Basic Router Security -

Emacs SMTP Library. An Emacs package for sending mail via SMTP. Simon Josefsson, Alex Schroeder

Communication Security for Applications

accf_smtp: FreeBSD kernel protection measures against SMTP DDoS and DoS attacks

TECHNICAL WHITE PAPER. TLS encryption: Is it really the answer to securing ?

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Overview. SSL Cryptography Overview CHAPTER 1

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Virtual Private Networks

Networking for Caribbean Development

Final for ECE374 05/06/13 Solution!!

Cornerstones of Security

SSL VPN Technology White Paper

SPAMfighter SMTP Anti Spam Server

Clearswift Information Governance

Security vulnerabilities in the Internet and possible solutions

TLS and SRTP for Skype Connect. Technical Datasheet

Chapter 7 Transport-Level Security

# Constructors $smtp = Net::SMTP->new('mailhost'); $smtp = Net::SMTP->new('mailhost', Timeout => 60);

Internet Technologies Internet Protocols and Services

Chapter 10. Network Security

Computer Networks CS321

Firewalls. Chapter 3

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Chapter 7. Address Translation

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Cleaning Encrypted Traffic

Internet Security [1] VU Engin Kirda

UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION. Julie Brill Maureen K. Ohlhausen Joshua D. Wright Terrell McSweeny

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

IxLoad Data Mail (SMTP, POP3, IMAP) Features

Transcription:

Business Unit or Product Name Redirecting and modifying SMTP mail with TLS session renegotiation attacks Wietse Venema Postfix mail server project www.postfix.org November 8, 2009 2003 IBM Corporation

Executive summary The setting: an attacker, a victim, and a server. The attacker sits on the network path between victim and server (ARP 1 spoofing, etc.). The TLS renegotiation attack allows the attacker to prepend data to a TLS session between the victim and server. The attack was originally discussed in the context of HTTP. We present a specific attack that would allow an attacker to redirect and modify SMTP mail that is sent over a TLS session. For the server side, we show what SMTP-over-TLS implementations would be vulnerable to this attack, plus SMTP-level workarounds. We show why the Postfix SMTP server is not affected by this attack. For the client side, we propose SMTP-level workarounds for several session renegotiation attacks. 1 Address Resolution Protocol. This translates IP addresses into e.g., ethernet hardware addresses.

Basic TLS session renegotiation for SMTP See appendix for an example of a normal SMTP over TLS session With SMTP, the attacker must initiate TLS session renegotiation. Simplest possible example: the attacker prepends no input to the victim-server session (prepending input comes next). Victim Attacker Server TCP connect SMTP starttls SMTP commands TCP connect SMTP 220 (welcome) SMTP starttls SMTP 220 (starttls reply) Attacker decrypts to victim / encrypts to server Attacker copies encrypted traffic unchanged SMTP 220 (welcome) SMTP 220 (starttls reply) SMTP replies Note: The attacker never knows the victim-server TLS session key.

Prepending input to the victim-server session Challenge: prepend input to the SMTP stream, then re-synchronize the victim and the server, so that the SMTP session does not break (or at least, does not break too early). SMTP has two command states (MAIL, other), and one major noncommand state (DATA 1,2 ) that recognizes no SMTP commands. Many SMTP commands are valid only in specific protocol states (exceptions: NOOP, HELO, RSET, QUIT). Most non-error replies are 2xx numerical codes. Most clients accept these in all but one command state (i.e. any xx will do). The most common exception is the DATA command. This uses a 3xx non-error reply code. 3xx Numerical replies are also used with e.g. SASL login commands. 1 Few sites implement the BDAT command. To exploit this, the attacker needs to know precise details about the plaintext length or content of victim SMTP commands and email messages. 2 Other non-command modes are used with e.g. SASL logins.

Redirecting or modifying SMTP mail with TLS session renegotiation Victim Attacker Server TCP connect SMTP starttls TLS victim hello SMTP 220 (welcome) SMTP 220 (starttls reply) SMTP mail SMTP rcpt SMTP data TLS victim hello TCP connect SMTP starttls SMTP 220 (welcome) SMTP 220 (starttls reply) Attacker prepends mail transaction commands with the attacker s sender or return address, and perhaps also message content TLS handshake... decrypt to victim / encrypt to server SMTP mail from SMTP rcpt to SMTP data Email content SMTP data end SMTP quit TCP disconnect copy encrypted traffic between victim and server SMTP 250 (mail reply) SMTP 250 (rcpt reply) SMTP 354 (data reply) Server prepends the victim s SMTP commands to the victim s mail content SMTP 250 (data end reply) SMTP 221 (quit reply) TCP disconnect SMTP replies follow TLS handshake

Implications of this attack SMTP mail can be redirected and modified even though the server s TLS certificate provides strong assurance that the clientserver channel is secure. To modify email, prepend an Internet-style email header followed by a MIME segment that hides the victim s real email message. Most SMTP clients don t verify server TLS certificates. These clients are already vulnerable to ordinary man-in-the-middle attacks. Here, TLS session renegotiation introduces no new threat. Renegotiation attacks affect only configurations that rely on TLS server certificate verification to secure their SMTP mail traffic. For example, email between business partners. After a discussion of the attack s feasibility we discuss a number of possible workarounds.

Servers: what makes implementations vulnerable to the SMTP mail redirection/modification attack The attack requires that: The server processes the entire attacker s TCP packet with: The attacker s SMTP (hello, mail, rcpt, data) commands 1. The victim s TLS hello request. The server negotiates a new TLS session with the victim before responding to the SMTP (hello, mail, rcpt, data) commands 2. The server encrypts the SMTP (hello, mail, rcpt, data) replies under the new TLS session key, which is known only to server and victim. Implementations may be vulnerable when the TLS engine processes network input before the SMTP engine requests network input. Postfix-OpenSSL does not work this way, and it is therefore not vulnerable to this attack 1 To work around the attack, the SMTP engine could abort when the SMTP mail command arrives before the reply is sent, in clear violation of the SMTP protocol. 2 To work around the attack, the SMTP engine could abort when a TLS session is renegotiated.

Servers: why the SMTP mail redirection/ modification attack fails with Postfix-OpenSSL Assumption: the attacker sends one TCP packet with SMTP (hello, mail, rcpt, data) commands plus the victim s TLS hello request. The Postfix SMTP layer asks the OpenSSL layer for the next input. The OpenSSL layer has no direct access to the network socket. The OpenSSL layer asks the Postfix socket layer for the next TLS record header with data byte count, and then asks for that data. This TLS record contains only the attacker s SMTP commands. The OpenSSL layer does not ask for more input (victim TLS hello). The Postfix SMTP layer gives the SMTP (hello, mail, rcpt, data) replies to the OpenSSL layer. The attack fails because the server sends the SMTP replies before the SSL layer handles the (still unread) victim s TLS hello request. The replies are not encrypted in the victim-server TLS session key.

Clients: working around the SMTP mail redirection/ modification attack The attack signature: The server sends SMTP (hello, mail, rcpt, data) replies in the victim-server TLS session, before the victim has sent its own SMTP (hello, mail, rcpt, data) commands. To work around the attack in the SMTP client: Send the command and receive the hello reply. If the network input queue is non-empty, set a flag. Send the SMTP mail command and receive the mail reply. If there is no error, but the flag was set, then assume that the mail reply was received before the mail command was sent.

Clients: working around partial command attacks The attacker may prepend an incomplete SMTP command that does not end in <CR><LF>, so that the victim s first command in the TLS session is replaced with the attacker s command. For example: Attacker sends: NOOP<SPACE> Victim sends: Server reads: EHLO client.example<cr><lf> NOOP blah blah<cr><lf> (this is valid SMTP) Server replies: 250 2.0.0 Ok<CR><LF> Unlike the NOOP reply, the real EHLO reply would have no enhanced status code (the 2.0.0 in the example). Instead, the EHLO reply would show the server s name, and would list the server s protocol features. The SMTP client can work around this attack by sending its own NOOP command at the beginning of the TLS session, or by rejecting EHLO replies with an unexpected syntax.

Credits Wietse Venema proposed the attack to redirect or modify TLSencrypted SMTP mail. Victor Duchovni proposed the COMMAND<SPACE> partial command prepend attack. Victor found that Wietse s attack cannot work with Postfix SMTP servers that are built op top of OpenSSL, because such systems don t use server-side read-ahead. Wietse and Victor concocted detection mechanisms and workarounds. Some may even end up in Postfix.

Appendix: normal SMTP over TLS session For simplicity, without ESMTP command pipelining Client TCP connect SMTP starttls SMTP mail from SMTP rcpt to SMTP data Email content SMTP data end SMTP quit TLS shutdown TCP disconnect Server SMTP 220 (welcome) SMTP 220 (starttls reply) SMTP 250 (mail reply) SMTP 250 (rcpt reply) SMTP 354 (data reply) non-command mode (no reply) SMTP 250 (data end reply) SMTP 221 (quit reply) TLS shutdown TCP disconnect

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information