Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The vulnerability is quite interesting! The server itself only runs locally. But, with some tricks (email bouncing) the exploitable code can triggered locally.

The vulnerability stems from a parsing issue when sending commands. By abusing a subtle parsing bug, the email envelope can be altering by each newlines (or new commands). The injected lines, into the envelope completely alter the packet being processed by the mail server.

By altering the envelope, this gives us the ability to trick the code to run other things entirely. Hence, this later allows us to arbitrary shell commands.

The above only works on the client side code. With the server-side code, several issues have to be overcome. One stands above the rest though: the previous request (before the envelope was altered) has been cached on the server. So, how do we remove this cache? Let's crash the server! By crashing the server (with the previous vulnerability again) it will forget the cached value and run the injected command.

Overall, the creativity to get this exploit working server-side was pretty awesome. Real world bug hunting is much more complicated in that of a CTF.