oss-sec mailing list archives

New SMTP smuggling attack

From: Marcus Meissner <meissner () suse de>
Date: Thu, 21 Dec 2023 15:36:33 +0100

Hi,

As if we did not have sufficient protocol vulnerability work short before
Christmas break this year, here is one more:

        https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

While it looks like "old stuff", this is new quality.

tldr: The end of "SMTP data phase" with "<CR><LF>.<CR><LF>" is not
consistently implemented everywhere (e.g. when leaving out <CR> or
inserting \0 or so) and could lead to one server passing it through and
the other processing it, leading to mail spoofing.

The security report it for some custom email servers, but at least
Postfix announced mitigation work already:

        https://www.mail-archive.com/postfix-users () postfix org/msg100901.html

Ciao, Marcus

Current thread:

New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
  - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
    - Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
    - Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
    - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)

(Thread continues...)