Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

SMTP, the Simple Mail Transfer Protocol, is the base email protocol that helps run the world today. Finding emails in servers could allow for terrible email spoofing and mass havoc being caused. The SMTP protocol is newline based, similar to HTTP. Unlike HTTP, it has commands. These commands include setting the sender, recipient, subject and more. The ending sequence is \r\n.\r\n and is the ending of the data.

HTTP smuggling is a vulnerability where two different interpreters of the protocol (nginx vs. apache) see the data coming in separately. This leads to an attack where one server may think it's one thing while the other sees it as another. Being able to break the underlying parser in this way can allow for smuggling or adding of unintended information by an attacker. The authors decided to look for a similar type of bug but in SMTP to see commands within SMTP.

SMTP servers support SMTP pipelining for a series of requests. Breaking out of these would be amazing to change the information being used on the next set of emails. They decided to try various different ending sequences that were typically invalid to the specification but may be supported. \n.\n, \r\n and many other things were tried. GMX was vulnerable to the \n.\r\n method.

On Microsoft Exchange, \n.\r\n broke the parsing as well. They were using BDAT, where the size is specified. However, if the server doesn't support the BDAT then it will default to DATA once its came from Outlook. This worked on their own server as well as Amazon, Paypal, eBay and many others. This was on the outbound that caused problems btw.

They started fuzzing various servers on the inbound size. If it timed out, then the EOL was not accepted. Otherwise, they had figured something out. This was useful for testing the interpretation more quickly than just sending emails and looking at the responses. It turns out that \r.\r got accepted by Cisco Secure email

Many of the protections on email are bypassed from this method. I found that particularly interesting.

The response from Microsoft was very sad. They claimed it wasn't a big deal since it required a non-standard sequence understanding on the other side of this. Honestly, going forward, I expect to see more server vulnerable to SMTP smuggling, similar to how it got popular once HTTP smuggling became popular.