37C3 - SMTP Smuggling - Spoofing E-Mails Worldwide
HTML-код
- Опубликовано: 2 окт 2024
- media.ccc.de/v...
Introducing a novel technique for e-mail spoofing.
SMTP, the Simple Mail Transfer Protocol, allows e-mailing since 1982. This easily makes it one of the oldest technologies amongst the Internet. However, even though it seems to have stood the test of time, there was still a trivial but novel exploitation technique just waiting to be discovered - SMTP smuggling!
In this talk, we’ll explore how SMTP smuggling breaks the interpretation of the SMTP protocol in vulnerable server constellations worldwide, allowing some more than unwanted behavior. Sending e-mails as admin@microsoft.com to fortune 500 companies - while still passing SPF checks - will be the least of our problems!
From identifying this novel technique to exploiting it in one of the most used e-mail services on the Internet, we’ll dive into all the little details this attack has to offer. Therefore, in this talk, we’ll embark on an expedition beyond the known limits of SMTP, and venture into the uncharted territories of SMTP smuggling!
Timo Longin
events.ccc.de/...
#37c3 #Security
23:05
Admin at Cisco:
Dear Cisco, I shouldn’t be able to do this.
Admin at Cisco:
No. This is a feature.
And now *I* am the admin@cisco!
the arrogance of some companies makes me angry. great talk and congrats on that find!
Can we just give props for GMX again at this point? :)
Microsoft be like: Well it's not an RCE on global infrastructure containing all user-data so vulnerability class "moderate"
Cisco acting like normal with the "it's not a bug, it's a feature" is aligned with their security policy: utterly bad.
What a great talk. Interesting (and slightly worrying topic) but on point and well presented. Definitely worth a watch (or more ^^)
Jesus. Mail needs an overhaul sooner than later. Everything that's been done since the 80s to prevent stuff like this from happening has been a workaround.
Disagree. Highly highly disagree, because of one main reason. The entire email system is a gloriously democratised system, it's very decentralized. If email were invented today, you couldn't send emails between providers, as if it were between WhatsApp and iMessage.
Email is one of the best systems ever designed, and the SMTP RFC standard is correct and safe, at least from this vulnerability! It's bad implementations that caused this!
Is it even possible to create another widespread standardized protocol like SMTP (but not broken) which isn't owned by a major company? It feels like at this point our only choice is to stick with ancient insecure protocols or deal with lock-in and neither choice is good.
It was. The overhaul is called Facebook.
BTW email protocols make a lot more sense when you understand the history. An email is a file, originally just on one computer, then they created ways to send them between different computers, but there wasn't an Internet so there had to be relaying.
@@supernenechi I wish this was still true. These days global players like Google, Microsoft, etc. dictate how everybody else is allowed to send email while being the biggest sources of issues in the first place.
Cisco is so sad. The following is going to happen now: People update their configurations everything is safe. New servers with the default configuration arise because people don't care about the issue, since it was fixed. Since hackers regularily scan for "is this really fixed" and "is somebody so stupid to use the default configuration", this will explode again. Good Job Cisco!
How to hack any company (by Cisco)
1. Get hired in the target company
2. Change the existing configuration to the default one
3. Hack the shit out of the place
4. Blame the admin for using a default config
5. Leave company
ive used this about three years ago and did this in my school for the application security projects. not that extensively tho but the general idea was the same.
At the time i definitely wasnt super knowledgable yet about a lot of stuff but i looked at the smtp protocol extensively because ive thought some kind of simple phishing attack would be good enough for the project.
Well this has definitely been used if i was able to get to it…
Wow that's amazing Timo! Great work ❤ and some really interesting insides for me, because I'm trying to build my own experimental smtp server
Great talk! I'm amazed that we still use emails as the main means of business communication with all these insecurities, bugs, and vulnerabilities. It is also quite devastating to see how these big companies react to such a huge flaw in their implementations.
Well, it is an open standard, not owned by a single company. Anyone can send and receive emails, without any subscription. It has built in support for devices that aren't always connected.
Jokes on you, we use fax /s
Bitte was? Das ist doch der absolute Super-GAU! Ist das noch immer möglich?
Great presentation, thanks! On thing to add from my side: I believe this insane implementation of how to interpret cr lf was done on purpose to improve communication between different smtp servers since early implementations might have been not 100% compliant but communication should work anyhow between them. So small variants in typing have been actively accepted by implementing it into the parser.
Super Vortrag! Nur schade, dass der Inhalt der einzelnen E-Mails nicht erwähnt wurde… Als blinder Mensch konnte ich an den entsprechenden Stellen so leider nicht mit lachen…
Eine Email vom outlook admin an seine Kollegen mit dem Text, dass er jetzt der Outlook Admin ist. Mit der ersten Antwort der Kollegen mit "Oida" und die zweite Antwort "fuck das ist richtig pervers^^". 16:00
Dann eine Email vom ihm als der CEO seiner Firma an HR, wo er sich eine Gehaltserhöhung gibt. 18:00
Und eine Email vom icloud admin wo er einen User bittet ihm sein Apple Gerät zu geben. 20:30
Ich glaub das wars auch schon :)
Nice default feature, Cisco!
Microsoft: that's not a bug
Homer: that part's _supposed_ to be on fire
o7 Google for not being mentioned in this video
As we learnt about the smt Protocol in school, we found an unsecured Server of another school and just send them some mails (we were 16-17 and it was that easy)
how would a dot on a single line within an email text be treated? are there escape sequences for that? or should the mailing program just ax that?
There are escapes. Which probably have more bugs.
According to RFC 821 section 4.5.2 "Transparency":
1. Before sending a line of mail text the sender-SMTP checks the first character of the line. If it is a period, one additional period is inserted at the beginning of the line.
2. When a line of mail text is received by the receiver-SMTP it checks the line. If the line is composed of a single period it is the end of mail. If the first character is a period and there are other characters on the line, the first character is deleted.
SMTP/MIME quoted printable encoding would suggest it to appear as: "
=2E
"
There are various other transfer and character encodings out there, but quoted printable just uses a simple equals sign followed by the hex encoding of the character. As such, you may also see "=0D=0A.=0D=0A" (where the CRLFs are escaped) or a few other manglings of it, which is probably a reasonable attack vector worth further investigation, at least towards a provider at Cisco's level of "intelligence."
Timo Log in lmaooo
Holy shit.
Mail-Spoofing sollte doch eig. mit SFP und so verhindert werden, aber jetzt bin ich noch gespannter was die Jungs hier präsentieren :)
;)
Jaa SPF ist so ne Sache. Muss halt jeder erstmal richtig anwenden und auch wirklich darauf prüfen. Leider in der exekutiven sehr schlecht umsetzbar
bei SPF wird ja nur geprüft ob der server ne korrekte IP und so hat, wenn man den absenderserver dazu überreden kann, eine Mail zu versenden ohne dass man korrekt angemeldet ist, oder aber eben, ein annehmender Server den Endmarker falsch implementiert und den rest als Kommandos für ne 2. Mail interpretiert ist doof.
und während zwar DKIM ziemlich sicher bei beiden Mails failen würde benötigt DMARC nur SPF ODER DKIM. (daher geht auch dmarc durch)
@@kevindylla1528SPF sollte mittlerweile Standard sein. Kein Mitleid mit denen, die es noch nicht umgesetzt haben.
Wenn "alles in meinem Rechenzentrum" ok ist, und "mein Rechenzentrum" die Azure Cloud ist, dann ist das witzlos ;)
Great talk!
ID10T Error Detected.
Nice.
Does that work with unauth inbound aka local delivery? In other words is this capable to relay?
No.
Technical debt. Patch patch patch. No reason to revamp and refactor.
insanely good talk!
That's awesome
27:07😂😂😂
Very well presented!
oh wow thanks man
This is wild
This is really scary 😪
was local exchange affected, and was it fixed
if you're so big that you can rationalize calling this a feature, then maybe you shouldn't be allowed in the security space (cough cough cisco)
Nichts anderes erwartet von Cisco
I havent understood half of the thing said here but I wish I did.
Why did he start talking like sponge bob lol
Ben shapiro 😂