Smtp (RFC 2821)

I did not write a new entry for a very long time. This time, I would like to discuss the RFC 2821. This is the first time I read documents in RFC. Simple Mail Transfer Protocol (SMTP) is the simplest Internet standard for delivering emails across IP networks. The one I read is not the updated version of SMTP, the most updated one is RFC 5321, I may take a look on it later. But still, it is worth to take a look at RFC 2821, see how the engineers think about message delivery in the past.

Once the SMTP client connected to the SMTP server, the client should perform the command EHLO to introduce itself to the server, the server will reply with a list of extensions if it has. After initiate the connection between client and server, there are 3 basic steps the client need to perform to complete the mail submission.

MAIL FROM:<username@domain> – This is the command to declare the sender of the email, it can be used to identify the sender and can be used as the replying address (Of course you can specify the replying address with other commands).

RCPT TO:<username@domain> – In an opposite, this command is used to declare the receiver of the email, the SMTP server has to identify the recipients’ address before it accepts the mail submission. You can specify more than one recipients or even mailing list.

DATA – After this command is performed, the client can submit the content of the message to server. To declare the end of the message, client must provide an extra line with a single dot “.”. In Internet Message Format (RFC 2822), they defined some fields inside DATA block to represent different type of information, eg. SUBJECT.

The mail submission process can be visualized with the following diagram (Greatly simplfiied, give a better version later).

from RFC2821

The SMTP design may allow an attack at the very beginning, when client try to initialize the session. By design, the SMTP protocol allows server to formally reject a transaction while still allowing the initial connection; server can send a 554 (Transaction failed) response instead of 220 (<domain> service ready). However the server must wait for the QUIT command performed by the client. What if the client just leave the connection there and do not echo the QUIT command? and what if there are tons of clients (most likely is a tons of zombies) doing the same thing at the same time? Is server possible to handle that? The server may be overloaded because of these actions. In other words, it is a denial of service (DoS). In more accurate speaking, it is distributed denial of service (DDoS), because it needs more than one machine to cause the server overloaded.

I am still on the way to finish this RFC, next time I will discuss some extensions mentioned in the RFC 2821, which may help spammer to grab email addresses from the SMTP server. Let’s have a guess what are they before I really post the next entry. Enjoy!

Filed under: app sec, protocols, spec , DDoS, DoS, email, RFC, SMTP

Google Chrome has the same bomb as Safari

Yesterday, Google released its new web browser Chrome, I just download and give it a try. After reading a brief introduction in it official homepage, I discover that there may be a vulnerability. Here is the description from the official.

No intrusive download manager; you see your download’s status at the bottom of your current window.

I did not watch the introduction video yet, but from the description, first thing I was wondering is: Does it has the same carpet bomb as Safari? May be some of you did not read my entry before talking about the carpet bomb in Safari. There is a bomb because Safari does not notify user before it start downloading a file from a website. Which means you can push tons of files to victim’s computer without his notification, and fill his folder up with your files (in Safari, the default destination of downloaded files is desktop, then you can imagine what will happen). With a friendly file name, you can even incite victim to execute your evil file.

Unfortunately, the default setting of Google Chrome have such a problem, it downloads files without asking user’s permission, although the destination of downloaded files is not your desktop. Luckily, unlike Safari, Chrome allow user to choose the destination each time when a file is going to be downloaded. So before using Chrome as your default browser, customize its download location setting first.

I can imagine that there are more bugs comeing from Chrome in the future (Of course, no software is perfect). So before the next bug has been discovered, enjoy your life in Google Chrome.

Reference:

• Safari Carpet Bomb
• Blended Threat – Safari Carpet Bomb and More

Filed under: app sec , Google Chrome, safari

What is HackerSafe?

Last night, I read the report of a security survey held by Jeremiah. I need to mention that I am really new to security, a novice, if you already know what HackerSafe is, you may just skip it. Of course, comments or corrections are always welcome.

In the survey, Jeremiah asked ‘What is HackerSafe’. I did not heard of this name before, that’s why I would like to spend some time study what it is. Actually, you may already see the symbol before. Following is an example taken from starbucksstore.com and buynetgear.com.

HackerSafe logo from StarbucksStore.com

HackerSafe logo from BuyNetgear.com

Once you see the above symbol, you may feel familiar with it. HackerSafe is a piece of software that let the website safe for hacker. Mostly used in e-shopping site. The symbol itself gives the customers confidence to shop in the site.

However, is it worth to have one in your e-shopping site? You can google with “hackersafe news” (without quote), you may discover that there are more negative news than positive related to HackerSafe. Although they claim that the software meet the official requirement of visa and master card and protect you from virus, spam, spyware and many other threats. But the news telling you the truth, there is still a long way to go, security is a long war between evils and protectors (hacker sometimes is also a protector, that’s why I use evils but not hackers). But still, HackerSafe is ’safe for hacker’.

ps. I cannot find a product with name HackerSafe in McAfee US site, is McAfee Secure and McAfee HackerSafe refer to the same thing? Should you know the difference between them, please let me know.

Reference:

• McAfee Secure
• McAfee HackerSafe

Filed under: app sec , HackerSafe, McAfee, Netgear, Starbucks

Safari Carpet Bomb

Most of you may know what Safari is. If you don’t, let me brief describe it in few words. Safari is a very typical web browser like Firefox and Internet Explorer, which is developed by Apple. As a general user of Mac OS, it is very usual that Safari does not ask for user permission when going to download file. It may not be a security problem to most user, but some annoying things can be done by use this feature of Safari. Consider there is a site http://iam.not.evil/, the index page of it contains following code.

<html>
<body>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
<iframe src=”get_file.php”></iframe>
…
<iframe src=”get_file.php”></iframe>
</body>
</html>

Inside get_file.php, we are going to send a file to user. My attempt is as follow.

<?php
$data = file_get_contents(“evil”);
header(‘Content-Type: application/x-zip’);
header(‘Content-Length: ‘ . strlen($data));
header(‘Content-Disposition: attachment; filename=evil’);
die($data);
?>

You may have a try by visiting the following site. The below site only contains one iframe trying to download a empty file evil to your computer.
http://www.cse.cuhk.edu.hk/~hkho5/security/

Since Safari will not ask user consent before downloading a file, the implication of it is obvious, downloaded malware to the victim’s desktop without user’s consent. This problem may not cause security problem in Mac OS, but it do annoying the users, after they closed the Safari and discovered that how beautiful there desktop is!

This security problem is discovered by Nitesh Dhanjani. He try to report it to Apple, but Apple thinks that it is not a security issue. Furthermore, Microsoft warn that this “special feature” of Safari may cause blended attack in Window XP and Window Vista.

“Microsoft says it is the combination of the default download file location in Safari and how the Windows desktop handles the files that creates the blended threat on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed.” from ZDNet.co.uk

It reminds me that sometime something is very nature or usual, but it does not mean that it is reasonable or safe!

Reference:

• Safari Carpet Bomb
• Apple dismisses Safari vulnerability claims
• Microsoft warns of blended Safari attack

ps. I don’t know how Windows desktop handles files. Should you know it, please let me know.

Filed under: app sec , apple, mac, microsoft, safari, windows