| /Exim /Postfix /csoonline /qmail /sec-consult /smtpsmug |
Contents
説明ビデオ https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide
スマグリング(Smuggling)とは密輸の意味であり、正常なファイルに悪性コードを隠し運搬する方法を密輸になぞらえています。
- 攻撃者は、Webコンテンツ・フィルタリングなどのセキュリティ対策をすり抜けて標的のシステムにペイロードを配送することで、 サイバー攻撃を実行します。
メールサービスAが1つのメッセージしか送信していないにもかかわらず、メールサービスBは2つのメッセージ受信したと誤認します。
SMTPの勉強しなおし、SPFとの関係も調べる。-- ToshinoriMaeno 2023-12-26 00:44:53
CVE-2023-51764 (Postfix), CVE-2023-51765 (sendmail), and CVE-2023-51766 (Exim).
https://halon.io/blog/what-you-need-to-know-about-smtp-smuggling
What are the security implications?
Failure to detect and prevent this exploit in your email infrastructure software can result in your systems being exploited to target other email systems. The SEC paper showed how one very large email service (until it was corrected earlier this year) could be used to smuggle a message that claims to be from any other sender on their platform – such as the important-looking admin@domain.tld – to any recipient on their platform. This deceptive message will successfully pass SPF checks because that sender’s address is on the same email platform.
Furthermore, the researchers demonstrated the ability to spoof any of approximately 1 million customer domains at that provider because the smuggled message will get an SPF “pass”.
1. SMTP Smuggling
SMTP Smuggling - Spoofing E-Mails Worldwide 18.12.2023
Introducing a novel technique for e-mail spoofing /sec-consult
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/
Threat actors could abuse vulnerable SMTP servers worldwide to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks. Due to the nature of the exploit itself, this type of vulnerability was dubbed SMTP smuggling. Multiple 0-days were discovered, and various vendors were notified during our responsible disclosure in 2023.
Simple example of HTTP request smuggling by PortSwigger Figure 6: Simple example of HTTP request smuggling by PortSwigger
2. GMX and Ionos
SMTP smuggling via GMX and Ionos e-mail services allowed SMTP smuggling from roughly 1.35 million different domains, as indicated by the domains pointing their MX record to Ionos (figure 30).
3. SMTP Smuggling?
The initial goal of this research was to test the SMTP protocol against some common and exotic attacks that work on other protocols, such as HTTP. Thanks to the contribution of many brilliant minds, there is a variety of HTTP attacks to choose from. However, in the context of SMTP, one of them just fit the bill. HTTP request smuggling! If you want an in-depth explanation of HTTP request smuggling and all its facets, James Kettle (aka @albinowax) did a wonderful job on that. However, for now, we only need to understand the essentials! With HTTP request smuggling, we're basically trying to exploit different interpretations of the same thing. For example, with discrepancies in the interpretation and processing of the "Content-Length" and "Transfer-Encoding" HTTP headers, an arbitrary HTTP request can be smuggled to an otherwise unreachable back-end server like in figure 6.