SMTP Vulnerability Withheld From Open Source Project, Published Right Before Xmas Break
coolgopher writes:
From https://www.postfix.org/smtp-smuggling.html :
Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than <CR><LF>.
Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to change their time schedule until after people had a chance to update their Postfix systems.
The attack involves a COMPOSITION of two email services with specific differences in the way they handle line endings other than <CR><LF>:
- One email service A that does not recognize broken line endings in SMTP such as in <LF>.<CR><LF> in an email message from an authenticated attacker to a recipient at email service B, and that propagates those broken line endings verbatim when it forwards that message to:
- One different email service B that does support broken line endings in SMTP such as in <LF>.<CR><LF>. When this is followed by "smuggled" SMTP MAIL/RCPT/DATA commands and message header plus body text, email service B is tricked into receiving two email messages: one message with the content before the <LF>.<CR><LF>, and one message with the "smuggled" header plus body text after the "smuggled" SMTP commands. All this when email service A sends only one message.
Postfix is an example of email service B. Microsoft's outlook.com was an example of email service A.
The "smuggled" SMTP MAIL/RCPT/DATA commands and header plus body text can be used to spoof email from any sender whose domain is hosted at email service A, to any recipient whose domain is hosted at email service B. Such email will pass SPF-based DMARC checks at email service B, because the smuggled message has a sender address that is hosted at email service A, and because the message was received from email service A.
Read more of this story at SoylentNews.