11-23, 14:10–14:40 (Europe/Vienna), Track 1 (Dachssal)
Since 1982 we’re sending e-mails across the globe with the Simple Mail Transfer Protocol (SMTP). Nevertheless, just last year, a simple yet crucial mistake in popular SMTP implementations was discovered, allowing for so called SMTP smuggling. Have you ever wanted to send e-mails as [email protected] while still passing SPF checks? SMTP smuggling had you covered! However, with global fixes applied, this is now another story.
Therefore, building upon the knowledge established in the initial discovery, this talk delves deeper into the intricacies of SMTP smuggling, unveiling novel exploits and targeting unexpected attack surfaces. Starting from SMTP smuggling fundamentals, we’re analyzing theoretical and practical ways to once again send an e-mail as [email protected].
Hence, we again shine the light on SMTP and see what this protocol has left to offer!
- Introduction
- The talk starts with a short introduction and a brief anecdote about finding vulnerabilities.
- This transitions to a short story about SMTP smuggling and how this research happened in the first place. - Covering the basics
- Following the introduction, we’re then covering some SMTP basics, including SMTP infrastructure and some common terminology.
- Based on this knowledge, we will go over SMTP smuggling theory and previous findings of the initial SMTP smuggling research, laying the foundation for further research to come. - Test infrastructure and analysis methods
- Here, we cover the used tools and methods that make SMTP analysis possible.
- This includes the SMTP analysis tools available at https://github.com/The-Login/SMTP-Smuggling-Tools. - Building upon SMTP smuggling
- In this section, we’re going over potential theoretical SMTP attacks and attack surfaces, including:- Encoding Confusions
- Line Length Breakout
- Smuggling via BDAT
- Smuggling dangerous/exotic SMTP commands
- etc.
- The findings
- With the knowledge gained from the previous sections, we can now move on to the somewhat unexpected findings.
- Instead of classic SMTP smuggling, we look at software affected by a novel type of SMTP From header spoofing, being SMTP header smuggling.
- This includes e-mail services hosted by REDACTED and Apple (iCloud). - Conclusion
- We end the session with some closing words about SMTP (smuggling) vulnerabilities.
References: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/, https://www.youtube.com/watch?v=V8KPV96g1To, https://smtpsmuggling.com/
Timo Longin (also known as Login) is a senior security consultant at SEC Consult at day and a security researcher at night. Aside from everyday security assessments, he publishes blog posts and security tools, holds talks at conferences and universities, and has a passion for CTFs. His main focus is on web applications; yet, infrastructure and hardware are not safe from him either. For example, in his prior research, Timo discovered DNS vulnerabilities in web applications, hosting providers and even entire countries. However, most people know him for discovering SMTP smuggling. As a well-rounded offensive security researcher, he tries to find forgotten and new exploitation techniques that make the unthinkable possible!