[pfx] DISPUTED: SMTP Smuggling with long-term fix

Sun, 07 Jan 2024 06:48:24 -0800 

Damian via Postfix-users:
> If I remember correctly, on the wire there was \r\n\r\n.\r\r\n

That is not a viable spoofing attack pattern.

To understand why, recall that an authenticated attacker sends an
email message to email service A, that contains a non-standard
End-of-DATA in the middle followed by attempted spoofed SMTP commands
and message content shown as indented text.

    mail from:<attacker><CR><LF>
    rcpt to:<someone><CR><LF>
    data<CR><LF>
    message content
    non-standard End-of-DATA
        mail from:<spoofed><CR><LF>
        rcpt to:<victim><CR><LF>
        data<CR><LF>            <<== or BDAT if available
        message content
    real End-of-DATA

The attacker's goal is that email service A delivers the message to
someone at email service B. That service confuses the non-standard
End-of-DATA with a real End-of-DATA, and delivers a message from
<spoofed> to <victim>.

When the attack is successful, the attacker can impersonate any
sender in any email domain that is hosted at email service A, and
still pass SPF-based the sender domain's DMARC policy at email
service B.

Coming back to the attack pattern <CR><LF>.<CR><CR><LF>, or more
generally, <CR><LF>.whatever. Note that this has '.' at the start
of a line.

Mail service A, as required by RFC 5321, prepends a '.' to each
line that starts with '.'. What it sends to email service B is
(attempted spoofed commands and message shown indented):

    mail from:<attacker><CR><LF>
    rcpt to:<someone><CR><LF>
    data<CR><LF>
    message content
    <CR><LF>..whatever          <<== note the '..' here
        mail from:<spoofed><CR><LF>
        rcpt to:<victim><CR><LF>
        data<CR><LF>            <<== or BDAT if available
        message content
    real End-of-DATA

When email service B receives the <CR><LF>..whatever, there is no
confusion whether this is End-of-DATA. No message is delivered from
<spoofed> to <victim>, instead someone received one email message
with SMTP commands in the middle.

In summary, this attack does not work. I'll update the stable
releases to pacify test tools, but that is a lower piority.

Meanwhile I'd request that tool developers avoid vulnerability
claims based on patterns that are not viable for spoofing attacks.

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to