oss-sec mailing list archives
Re: Re: New SMTP smuggling attack
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Sat, 23 Dec 2023 00:40:06 +0800
On Fri, Dec 22, 2023 at 11:57 PM Rodrigo Freire <rfreire () redhat com> wrote:
On Fri, Dec 22, 2023 at 12:10 PM Erik Auerswald <auerswal () unix-ag uni-kl de> wrote:* The CERT/CC and VINCE involvement resulted in "there is no vulnerability".I'm trying to make sense of it - where's the compromise of the Confidentiality, Integrity or Availability of the affected mail servers?
The integrity of the sender's identity, as a minimum, is compromised here. Normally, when relaying mail, servers add a "Received:" header that specifies where they received the connection from. This allows tracking down the true origin of the message. The smuggled message does not have such a header and thus misrepresents the vulnerable relay as the ultimate sender. Additionally, if the relay has destination-based deny lists that deny some but not all addresses on the destination domain, they are sidestepped. -- Alexander E. Patrakov
Current thread:
- New SMTP smuggling attack Marcus Meissner (Dec 21)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart Henderson (Dec 22)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Rodrigo Freire (Dec 22)
- Re: Re: New SMTP smuggling attack Alexander E. Patrakov (Dec 22)
- Re: Re: New SMTP smuggling attack Erik Auerswald (Dec 22)
- Re: Re: New SMTP smuggling attack Stuart D Gathman (Dec 22)
- Re: Re: New SMTP smuggling attack Harry Sintonen (Dec 22)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 22)
- Re: New SMTP smuggling attack Claus Assmann (Dec 21)
- Re: Re: New SMTP smuggling attack Bjoern Franke (Dec 22)
- Re: Re: New SMTP smuggling attack Valtteri Vuorikoski (Dec 23)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 24)
- Re: Re: New SMTP smuggling attack kai (Dec 25)
- Re: New SMTP smuggling attack Claus Assmann (Dec 26)
- Re: Re: New SMTP smuggling attack Alan Coopersmith (Dec 29)
- Re: Re: New SMTP smuggling attack Marcus Meissner (Dec 30)