oss-sec mailing list archives

Re: New SMTP smuggling attack

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 22 Dec 2023 13:11:02 +0100

In case this helps:

SEC Consult has not published a test tool, and it seems they have not
tested many mailservers.

I have tried to understand the attack, and came up with a preliminary
test script myself:
https://github.com/hannob/smtpsmug

This is pretty much work in progress, not really documented, and I am
still unsure what exactly the "right" behavior should be.
But I'm sharing it in case it helps others. I may or may not update /
improve it in the coming days.

By default it tests whether a server accepts the <lf>.<lf> behavior.
For testing the sending side, you will need to setup a receiving server
and analyze it manually.


-- 
Hanno Böck
https://hboeck.de/

Current thread:

Re: Re: New SMTP smuggling attack, (continued)
- - - Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
    - Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
    - Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
    - Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
    - Re: Re: New SMTP smuggling attack kai (Dec 25)
    - Re: New SMTP smuggling attack Claus Assmann (Dec 26)
    - Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
    - Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)
    - Re: Re: New SMTP smuggling attack Claus Assmann (Dec 30)
- Re: New SMTP smuggling attack Hanno Böck (Dec 22)