37C3 - SMTP Smuggling - Spoofing E-Mails Worldwide

Рет қаралды 40,151

media.ccc.de

5 ай бұрын

media.ccc.de/v/37c3-11782-smt...
Introducing a novel technique for e-mail spoofing.
SMTP, the Simple Mail Transfer Protocol, allows e-mailing since 1982. This easily makes it one of the oldest technologies amongst the Internet. However, even though it seems to have stood the test of time, there was still a trivial but novel exploitation technique just waiting to be discovered - SMTP smuggling!
In this talk, we’ll explore how SMTP smuggling breaks the interpretation of the SMTP protocol in vulnerable server constellations worldwide, allowing some more than unwanted behavior. Sending e-mails as admin@microsoft.com to fortune 500 companies - while still passing SPF checks - will be the least of our problems!
From identifying this novel technique to exploiting it in one of the most used e-mail services on the Internet, we’ll dive into all the little details this attack has to offer. Therefore, in this talk, we’ll embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling!
Timo Longin
events.ccc.de/congress/2023/h...
#37c3 #Security

Пікірлер: 62

@dinoscheidt 5 ай бұрын

23:05 Admin at Cisco: Dear Cisco, I shouldn’t be able to do this. Admin at Cisco: No. This is a feature.

@Olaxan4 5 ай бұрын

And now *I* am the admin@cisco!

@SMURFPICTURES 5 ай бұрын

the arrogance of some companies makes me angry. great talk and congrats on that find!

@fraenkiboii 5 ай бұрын

Jesus. Mail needs an overhaul sooner than later. Everything that's been done since the 80s to prevent stuff like this from happening has been a workaround.

@supernenechi 5 ай бұрын

Disagree. Highly highly disagree, because of one main reason. The entire email system is a gloriously democratised system, it's very decentralized. If email were invented today, you couldn't send emails between providers, as if it were between WhatsApp and iMessage. Email is one of the best systems ever designed, and the SMTP RFC standard is correct and safe, at least from this vulnerability! It's bad implementations that caused this!

@iotkualt 5 ай бұрын

Is it even possible to create another widespread standardized protocol like SMTP (but not broken) which isn't owned by a major company? It feels like at this point our only choice is to stick with ancient insecure protocols or deal with lock-in and neither choice is good.

@thewhitefalcon8539 5 ай бұрын

It was. The overhaul is called Facebook.

@thewhitefalcon8539 5 ай бұрын

BTW email protocols make a lot more sense when you understand the history. An email is a file, originally just on one computer, then they created ways to send them between different computers, but there wasn't an Internet so there had to be relaying.

@ulaB 5 ай бұрын

@@supernenechi I wish this was still true. These days global players like Google, Microsoft, etc. dictate how everybody else is allowed to send email while being the biggest sources of issues in the first place.

@ThiloNorris 5 ай бұрын

Can we just give props for GMX again at this point? :)

@JacquesBoscq 5 ай бұрын

Cisco acting like normal with the "it's not a bug, it's a feature" is aligned with their security policy: utterly bad.

@useruser-ti1og 5 ай бұрын

Microsoft be like: Well it's not an RCE on global infrastructure containing all user-data so vulnerability class "moderate"

@adrasx6999 5 ай бұрын

Cisco is so sad. The following is going to happen now: People update their configurations everything is safe. New servers with the default configuration arise because people don't care about the issue, since it was fixed. Since hackers regularily scan for "is this really fixed" and "is somebody so stupid to use the default configuration", this will explode again. Good Job Cisco!

@d0m186 5 ай бұрын

Great talk! I'm amazed that we still use emails as the main means of business communication with all these insecurities, bugs, and vulnerabilities. It is also quite devastating to see how these big companies react to such a huge flaw in their implementations.

@a4d9 5 ай бұрын

Well, it is an open standard, not owned by a single company. Anyone can send and receive emails, without any subscription. It has built in support for devices that aren't always connected.

@masterchief133742 5 ай бұрын

Jokes on you, we use fax /s

@tobiaspott 5 ай бұрын

What a great talk. Interesting (and slightly worrying topic) but on point and well presented. Definitely worth a watch (or more ^^)

@MrZombastic 4 ай бұрын

ive used this about three years ago and did this in my school for the application security projects. not that extensively tho but the general idea was the same. At the time i definitely wasnt super knowledgable yet about a lot of stuff but i looked at the smtp protocol extensively because ive thought some kind of simple phishing attack would be good enough for the project. Well this has definitely been used if i was able to get to it…

@joachimkoenen3952 5 ай бұрын

Great presentation, thanks! On thing to add from my side: I believe this insane implementation of how to interpret cr lf was done on purpose to improve communication between different smtp servers since early implementations might have been not 100% compliant but communication should work anyhow between them. So small variants in typing have been actively accepted by implementing it into the parser.

@adrasx6999 5 ай бұрын

How to hack any company (by Cisco) 1. Get hired in the target company 2. Change the existing configuration to the default one 3. Hack the shit out of the place 4. Blame the admin for using a default config 5. Leave company

@LukasRotermund 5 ай бұрын

Wow that's amazing Timo! Great work ❤ and some really interesting insides for me, because I'm trying to build my own experimental smtp server

@renakunisaki 5 ай бұрын

Microsoft: that's not a bug Homer: that part's _supposed_ to be on fire

@SadeN_0 5 ай бұрын

Nice default feature, Cisco!

@yoente2690 5 ай бұрын

As we learnt about the smt Protocol in school, we found an unsecured Server of another school and just send them some mails (we were 16-17 and it was that easy)

@MaxJones123 5 ай бұрын

Very well presented!

@tuskiie 5 ай бұрын

insanely good talk!

@klausfischer3079 5 ай бұрын

Super Vortrag! Nur schade, dass der Inhalt der einzelnen E-Mails nicht erwähnt wurde… Als blinder Mensch konnte ich an den entsprechenden Stellen so leider nicht mit lachen…

@Stefan-qk8sw 5 ай бұрын

Eine Email vom outlook admin an seine Kollegen mit dem Text, dass er jetzt der Outlook Admin ist. Mit der ersten Antwort der Kollegen mit "Oida" und die zweite Antwort "fuck das ist richtig pervers^^". 16:00 Dann eine Email vom ihm als der CEO seiner Firma an HR, wo er sich eine Gehaltserhöhung gibt. 18:00 Und eine Email vom icloud admin wo er einen User bittet ihm sein Apple Gerät zu geben. 20:30 Ich glaub das wars auch schon :)

@Stefan-qk8sw 5 ай бұрын

Bitte was? Das ist doch der absolute Super-GAU! Ist das noch immer möglich?

@MaxJones123 5 ай бұрын

Great talk!

@My1xT 5 ай бұрын

how would a dot on a single line within an email text be treated? are there escape sequences for that? or should the mailing program just ax that?

@alexpyattaev 5 ай бұрын

There are escapes. Which probably have more bugs.

5 ай бұрын

According to RFC 821 section 4.5.2 "Transparency": 1. Before sending a line of mail text the sender-SMTP checks the first character of the line. If it is a period, one additional period is inserted at the beginning of the line. 2. When a line of mail text is received by the receiver-SMTP it checks the line. If the line is composed of a single period it is the end of mail. If the first character is a period and there are other characters on the line, the first character is deleted.

@Phroggster 5 ай бұрын

SMTP/MIME quoted printable encoding would suggest it to appear as: " =2E " There are various other transfer and character encodings out there, but quoted printable just uses a simple equals sign followed by the hex encoding of the character. As such, you may also see "=0D=0A.=0D=0A" (where the CRLFs are escaped) or a few other manglings of it, which is probably a reasonable attack vector worth further investigation, at least towards a provider at Cisco's level of "intelligence."

@labor4 5 ай бұрын

Does that work with unauth inbound aka local delivery? In other words is this capable to relay?

@ludvigericson6930 5 ай бұрын

No.

@mac1991seth 5 ай бұрын

ID10T Error Detected. Nice.

@Lino1259 5 ай бұрын

Timo Log in lmaooo

@gold-junge91 5 ай бұрын

oh wow thanks man

@aGj2fiebP3ekso7wQpnd1Lhd 4 ай бұрын

That's awesome

@gandalf1783 5 ай бұрын

Mail-Spoofing sollte doch eig. mit SFP und so verhindert werden, aber jetzt bin ich noch gespannter was die Jungs hier präsentieren :)

@xvsun 5 ай бұрын

;)

@kevindylla1528 5 ай бұрын

Jaa SPF ist so ne Sache. Muss halt jeder erstmal richtig anwenden und auch wirklich darauf prüfen. Leider in der exekutiven sehr schlecht umsetzbar

@My1xT 5 ай бұрын

bei SPF wird ja nur geprüft ob der server ne korrekte IP und so hat, wenn man den absenderserver dazu überreden kann, eine Mail zu versenden ohne dass man korrekt angemeldet ist, oder aber eben, ein annehmender Server den Endmarker falsch implementiert und den rest als Kommandos für ne 2. Mail interpretiert ist doof. und während zwar DKIM ziemlich sicher bei beiden Mails failen würde benötigt DMARC nur SPF ODER DKIM. (daher geht auch dmarc durch)

@hoddelkind 5 ай бұрын

@@kevindylla1528SPF sollte mittlerweile Standard sein. Kein Mitleid mit denen, die es noch nicht umgesetzt haben.

@der.Schtefan 5 ай бұрын

Wenn "alles in meinem Rechenzentrum" ok ist, und "mein Rechenzentrum" die Azure Cloud ist, dann ist das witzlos ;)