37C3 - SMTP Smuggling - Spoofing E-Mails Worldwide
media.ccc.de/v/37c3-11782-smt...
Introducing a novel technique for e-mail spoofing.
SMTP, the Simple Mail Transfer Protocol, allows e-mailing since 1982. This easily makes it one of the oldest technologies amongst the Internet. However, even though it seems to have stood the test of time, there was still a trivial but novel exploitation technique just waiting to be discovered - SMTP smuggling!
In this talk, we’ll explore how SMTP smuggling breaks the interpretation of the SMTP protocol in vulnerable server constellations worldwide, allowing some more than unwanted behavior. Sending e-mails as admin@microsoft.com to fortune 500 companies - while still passing SPF checks - will be the least of our problems!
From identifying this novel technique to exploiting it in one of the most used e-mail services on the Internet, we’ll dive into all the little details this attack has to offer. Therefore, in this talk, we’ll embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling!
Timo Longin
events.ccc.de/congress/2023/h...
#37c3 #Security
Пікірлер: 62
23:05 Admin at Cisco: Dear Cisco, I shouldn’t be able to do this. Admin at Cisco: No. This is a feature.
@Olaxan4
6 ай бұрын
And now *I* am the admin@cisco!
the arrogance of some companies makes me angry. great talk and congrats on that find!
Can we just give props for GMX again at this point? :)
Jesus. Mail needs an overhaul sooner than later. Everything that's been done since the 80s to prevent stuff like this from happening has been a workaround.
@supernenechi
6 ай бұрын
Disagree. Highly highly disagree, because of one main reason. The entire email system is a gloriously democratised system, it's very decentralized. If email were invented today, you couldn't send emails between providers, as if it were between WhatsApp and iMessage. Email is one of the best systems ever designed, and the SMTP RFC standard is correct and safe, at least from this vulnerability! It's bad implementations that caused this!
@iotkualt
6 ай бұрын
Is it even possible to create another widespread standardized protocol like SMTP (but not broken) which isn't owned by a major company? It feels like at this point our only choice is to stick with ancient insecure protocols or deal with lock-in and neither choice is good.
@thewhitefalcon8539
6 ай бұрын
It was. The overhaul is called Facebook.
@thewhitefalcon8539
6 ай бұрын
BTW email protocols make a lot more sense when you understand the history. An email is a file, originally just on one computer, then they created ways to send them between different computers, but there wasn't an Internet so there had to be relaying.
@ulaB
6 ай бұрын
@@supernenechi I wish this was still true. These days global players like Google, Microsoft, etc. dictate how everybody else is allowed to send email while being the biggest sources of issues in the first place.
Cisco acting like normal with the "it's not a bug, it's a feature" is aligned with their security policy: utterly bad.
Microsoft be like: Well it's not an RCE on global infrastructure containing all user-data so vulnerability class "moderate"
Cisco is so sad. The following is going to happen now: People update their configurations everything is safe. New servers with the default configuration arise because people don't care about the issue, since it was fixed. Since hackers regularily scan for "is this really fixed" and "is somebody so stupid to use the default configuration", this will explode again. Good Job Cisco!
What a great talk. Interesting (and slightly worrying topic) but on point and well presented. Definitely worth a watch (or more ^^)
Great talk! I'm amazed that we still use emails as the main means of business communication with all these insecurities, bugs, and vulnerabilities. It is also quite devastating to see how these big companies react to such a huge flaw in their implementations.
@a4d9
6 ай бұрын
Well, it is an open standard, not owned by a single company. Anyone can send and receive emails, without any subscription. It has built in support for devices that aren't always connected.
@masterchief133742
6 ай бұрын
Jokes on you, we use fax /s
ive used this about three years ago and did this in my school for the application security projects. not that extensively tho but the general idea was the same. At the time i definitely wasnt super knowledgable yet about a lot of stuff but i looked at the smtp protocol extensively because ive thought some kind of simple phishing attack would be good enough for the project. Well this has definitely been used if i was able to get to it…
Great presentation, thanks! On thing to add from my side: I believe this insane implementation of how to interpret cr lf was done on purpose to improve communication between different smtp servers since early implementations might have been not 100% compliant but communication should work anyhow between them. So small variants in typing have been actively accepted by implementing it into the parser.
Wow that's amazing Timo! Great work ❤ and some really interesting insides for me, because I'm trying to build my own experimental smtp server
Microsoft: that's not a bug Homer: that part's _supposed_ to be on fire
As we learnt about the smt Protocol in school, we found an unsecured Server of another school and just send them some mails (we were 16-17 and it was that easy)
Nice default feature, Cisco!
How to hack any company (by Cisco) 1. Get hired in the target company 2. Change the existing configuration to the default one 3. Hack the shit out of the place 4. Blame the admin for using a default config 5. Leave company
insanely good talk!
Very well presented!
Great talk!
how would a dot on a single line within an email text be treated? are there escape sequences for that? or should the mailing program just ax that?
@alexpyattaev
6 ай бұрын
There are escapes. Which probably have more bugs.
6 ай бұрын
According to RFC 821 section 4.5.2 "Transparency": 1. Before sending a line of mail text the sender-SMTP checks the first character of the line. If it is a period, one additional period is inserted at the beginning of the line. 2. When a line of mail text is received by the receiver-SMTP it checks the line. If the line is composed of a single period it is the end of mail. If the first character is a period and there are other characters on the line, the first character is deleted.
@Phroggster
6 ай бұрын
SMTP/MIME quoted printable encoding would suggest it to appear as: " =2E " There are various other transfer and character encodings out there, but quoted printable just uses a simple equals sign followed by the hex encoding of the character. As such, you may also see "=0D=0A.=0D=0A" (where the CRLFs are escaped) or a few other manglings of it, which is probably a reasonable attack vector worth further investigation, at least towards a provider at Cisco's level of "intelligence."
Super Vortrag! Nur schade, dass der Inhalt der einzelnen E-Mails nicht erwähnt wurde… Als blinder Mensch konnte ich an den entsprechenden Stellen so leider nicht mit lachen…
@Stefan-qk8sw
6 ай бұрын
Eine Email vom outlook admin an seine Kollegen mit dem Text, dass er jetzt der Outlook Admin ist. Mit der ersten Antwort der Kollegen mit "Oida" und die zweite Antwort "fuck das ist richtig pervers^^". 16:00 Dann eine Email vom ihm als der CEO seiner Firma an HR, wo er sich eine Gehaltserhöhung gibt. 18:00 Und eine Email vom icloud admin wo er einen User bittet ihm sein Apple Gerät zu geben. 20:30 Ich glaub das wars auch schon :)
Bitte was? Das ist doch der absolute Super-GAU! Ist das noch immer möglich?
That's awesome
Mail-Spoofing sollte doch eig. mit SFP und so verhindert werden, aber jetzt bin ich noch gespannter was die Jungs hier präsentieren :)
@xvsun
6 ай бұрын
;)
@kevindylla1528
6 ай бұрын
Jaa SPF ist so ne Sache. Muss halt jeder erstmal richtig anwenden und auch wirklich darauf prüfen. Leider in der exekutiven sehr schlecht umsetzbar
@My1xT
6 ай бұрын
bei SPF wird ja nur geprüft ob der server ne korrekte IP und so hat, wenn man den absenderserver dazu überreden kann, eine Mail zu versenden ohne dass man korrekt angemeldet ist, oder aber eben, ein annehmender Server den Endmarker falsch implementiert und den rest als Kommandos für ne 2. Mail interpretiert ist doof. und während zwar DKIM ziemlich sicher bei beiden Mails failen würde benötigt DMARC nur SPF ODER DKIM. (daher geht auch dmarc durch)
@hoddelkind
6 ай бұрын
@@kevindylla1528SPF sollte mittlerweile Standard sein. Kein Mitleid mit denen, die es noch nicht umgesetzt haben.
@der.Schtefan
6 ай бұрын
Wenn "alles in meinem Rechenzentrum" ok ist, und "mein Rechenzentrum" die Azure Cloud ist, dann ist das witzlos ;)
oh wow thanks man
Timo Log in lmaooo
This is wild
ID10T Error Detected. Nice.
Does that work with unauth inbound aka local delivery? In other words is this capable to relay?
@ludvigericson6930
6 ай бұрын
No.
Holy shit.
This is really scary 😪
o7 Google for not being mentioned in this video
was local exchange affected, and was it fixed
27:07😂😂😂
Technical debt. Patch patch patch. No reason to revamp and refactor.
if you're so big that you can rationalize calling this a feature, then maybe you shouldn't be allowed in the security space (cough cough cisco)
Nichts anderes erwartet von Cisco
I havent understood half of the thing said here but I wish I did.
Why did he start talking like sponge bob lol
@jacobsan
6 ай бұрын
Ben shapiro 😂