-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
325 lines (300 loc) · 18.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
<!DOCTYPE html>
<html lang="en">
<head>
<title>SMTP Smuggling</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<link rel="stylesheet" href="https://www.w3schools.com/lib/w3-theme-black.css">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css">
<link rel="icon" type="image/x-icon" href="images/favicon.ico">
<style>
html,body,h1,h2,h3,h4,h5,h6 {font-family: "Roboto", sans-serif;scroll-margin: 40px}
.w3-sidebar {
z-index: 3;
width: 250px;
top: 43px;
bottom: 0;
height: inherit;
}
</style>
<script async defer src="https://buttons.github.io/buttons.js"></script>
</head>
<body>
<!-- Navbar -->
<div class="w3-top">
<div class="w3-bar w3-theme w3-top w3-left-align w3-large">
<a class="w3-bar-item w3-button w3-right w3-hide-large w3-hover-white w3-large w3-theme-l1" href="javascript:void(0)" onclick="w3_open()"><i class="fa fa-bars"></i></a>
<a href="#" class="w3-bar-item w3-button w3-theme-l1">SMTP Smuggling</a>
</div>
</div>
<!-- Sidebar -->
<nav class="w3-sidebar w3-bar-block w3-collapse w3-large w3-theme-l5 w3-animate-left" id="mySidebar">
<a href="javascript:void(0)" onclick="w3_close()" class="w3-right w3-xlarge w3-padding-large w3-hover-black w3-hide-large" title="Close Menu">
<i class="fa fa-remove"></i>
</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#introduction">Introduction</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#tools">Tools</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#vulnerable">I'm vulnerable! What now?</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#software">Affected Software</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#unaffected-software">Unaffected Software</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#references">References</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#videos">Videos</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#contribute">Contribute</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#comingsoon">Coming soon...</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#imprint">Imprint</a>
<a class="w3-bar-item w3-button w3-hover-black" href="#privacy">Privacy Policy</a>
</nav>
<!-- Overlay effect when opening sidebar on small screens -->
<div class="w3-overlay w3-hide-large" onclick="w3_close()" style="cursor:pointer" title="close side menu" id="myOverlay"></div>
<!-- Main content: shift it to the right by 250 pixels when the sidebar is visible -->
<div class="w3-main" style="margin-left:250px">
<div class="w3-row w3-padding-top-64">
<div class="w3-row w3-bar w3-black">
<h1 class="w3-bar-item">SMTP Smuggling</h1>
</div>
</div>
<div class="w3-row">
<div class="w3-third w3-container">
<h1 class="w3-text-black" id="introduction">Introduction</h1>
<p>SMTP smuggling is a novel vulnerability that allows <a href="https://en.wikipedia.org/wiki/Email_spoofing">e-mail spoofing</a> by exploiting interpretation differences of the SMTP protocol in vulnerable server constellations. More specifically, different understandings of so called "end-of-data" sequences between outbound (sending) and inbound (receiving) SMTP servers may allow an attacker to smuggle - hence <b>SMTP smuggling</b> - spoofed e-mails (see Figure 1). Threat actors can abuse this to send malicious e-mails from arbitrary e-mail addresses, allowing targeted phishing attacks.</p>
<p><a href="#software">Affected software</a> identified on the outbound side includes Exchange Online and GMX, which are hosting millions of domains. On the inbound side, over a million SMTP instances including Postfix, Sendmail, Cisco and others are affected. This allowed spoofing e-mails from millions of domains (e.g., microsoft.com, github.com, gmx.net) to millions of SMTP servers.</p>
<p>As a result of miscommunications in the vulnerability disclosure, millions of inbound SMTP servers are left vulnerable to SMTP smuggling. Further cases of SMTP smuggling vulnerabilities in outbound servers would again allow spoofing e-mails from affected domains. <br>Also due to a severe case of SMTP smuggling in Cisco Secure Email and missing vendor support, it is highly advised to change the vulnerable default configuration (see <a href="#software">affected software</a>).</p>
<p>
<i>In-depth information on SMTP smuggling can be found in the <a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/">original blog post</a> as well as in the <a href="#references">referenced resources</a>. The official CERT/CC vulnerability note (VU#302671) can be found <a href="https://www.kb.cert.org/vuls/id/302671">here</a>.</i>
</p>
</div>
<div class="w3-twothird w3-container w3-center">
<img class="w3-image" src="images/SMTP-Smuggling-Overview.png">
<p><i>Figure 1: SMTP smuggling overview</i></p>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="tools">Tools</h1>
<p>Here are some tools for identifying SMTP smuggling issues that are available on GitHub!</p>
<p>"Official" SMTP smuggling tools:</p>
<a class="github-button" href="https://github.com/The-Login/SMTP-Smuggling-Tools" target="_blank" aria-label="View SMTP Smuggling Tools on GitHub">View SMTP Smuggling Tools on GitHub</a><br>
<p>Thank you <a href="https://hboeck.de/">Hanno Böck</a> for smtpsmug!</p>
<a class="github-button" href="https://github.com/hannob/smtpsmug" target="_blank" aria-label="View smtpsmug on GitHub">View smtpsmug on GitHub</a><br>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="vulnerable">I'm vulnerable! What now?</h1>
<p>The <b><a href="#software">Affected Software</a></b> section may include the information you are looking for. Furthermore, there may already be fixes and workarounds for your specific SMTP software online.<br>
If you don't find any solutions online, please create an issue on <a href="https://github.com/The-Login/SMTP-Smuggling-Website">GitHub</a>.
</p>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="software">Affected Software</h1>
<p>Official vendor statements can be found in CERT/CC's <a href="https://www.kb.cert.org/vuls/id/302671#vendor-information">vulnerability note</a>. However, keep in mind that there are "different views" on the vulnerability (e.g., Cisco).</p>
<table class="w3-table w3-table-all">
<tr>
<th>Software</th>
<th>Description</th>
<th>Fix/Workaround</th>
<th>Smuggling direction</th>
<th>CVE</th>
</tr>
<tr>
<td>Cisco Secure Email (Cloud) Gateway</td>
<td>On-premise and cloud versions of Cisco Secure Email Gateway using the default configuration are vulnerable to <b>severe</b> inbound SMTP smuggling, since end-of-data sequences like "<CR>.</CR>" are accepted. This allows spoofing e-mails from millions of domains. More information can be found in the <a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/">original blog post</a>.</td>
<td><b>UPDATE:</b> The <a href="https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-5-1/user_guide/b_ESA_Admin_Guide_15-5-1/b_ESA_Admin_Guide_12_1_chapter_0100.html#task_1254814__table_985308C400C84CE3BC190BC8A3A95D86__entry__1">updated CR and LF handling setting</a> now adds an X-header to a message, if an invalid end-of-data sequence is received. Messages with such a header can furthermore be handled with content filter policies, as described <a href="https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa15-5-1/release_notes/Secure_Email_15-5_Release_Notes.pdf">here</a>.<br>The "Allow" option is also no more deprecated, which now allows to avoid the "Clean" option (which enables SMTP smuggling) and the "Reject" option (which drops all messages that do not fully adhere to RFCs in terms of CRs and LFs).</td>
<td>Inbound</td>
<td>-</td>
</tr>
<tr>
<td>Postfix</td>
<td>Postfix was identified to accept non RFC-compliant end-of-data sequences like "<LF>.<CR><LF>". This is not as severe of an issue like with Cisco Secure Email, <b>however</b> this still allows SMTP smuggling, if outbound servers (as identified with Exchange Online and GMX) do not filter such "<LF>.<CR><LF>" sequences. More information can be found in the <a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/">original blog post</a>.</td>
<td>Detailed information can be found on the <a href="https://www.postfix.org/smtp-smuggling.html">Postfix website</a>.<br><b>Thanks to Wietse and Viktor</b> for providing quick solutions!</td>
<td>Inbound</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-51764">CVE-2023-51764</a></td>
</tr>
<tr>
<td>Sendmail</td>
<td>Sendmail and Postfix handle end-of-data sequences the same way. As with Postfix, pipelined SMTP commands by default get executed after a "fake" end-of-data sequence is processed.</td>
<td>For now, <a href="https://ftp.sendmail.org/snapshots/">Sendmail snapshot 8.18.0.2</a> can be used. More information can be found <a href="https://groups.google.com/g/comp.mail.sendmail/c/zwJW9907Zgo?pli=1">here</a>.</td>
<td>Inbound</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-51765">CVE-2023-51765</a></td>
</tr>
<tr>
<td>Exim</td>
<td>Some configurations of Exim are vulnerable to SMTP smuggling similar to Postfix and Sendmail.</td>
<td>Upgrading to Exim version 4.97.1 or later should fix this issue. More information can be found on the <a href="https://www.exim.org/">Exim website</a>.</td>
<td>Inbound</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2023-51766">CVE-2023-51766</a></td>
</tr>
<tr>
<td>aiosmtpd</td>
<td>aiosmtpd is vulnerable to SMTP smuggling similar to Postfix and Sendmail.</td>
<td>Upgrading to aiosmtpd version 1.4.5 or later should fix this issue. More information can be found on <a href="https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65">GitHub</a>.</td>
<td>Inbound</td>
<td><a href="https://nvd.nist.gov/vuln/detail/CVE-2024-27305">CVE-2024-27305</a></td>
</tr>
<tr>
<td>SurgeMail</td>
<td>SurgeMail is vulnerable to SMTP smuggling similar to Postfix and Sendmail.</td>
<td>More information on fixing SurgeMail can be found on the <a href="https://surgemail.com/knowledge-base/smtp-smuggling/">SurgeMail website</a>.</td>
<td>Inbound</td>
<td>-</td>
</tr>
<tr>
<td>Exchange Online</td>
<td>Outbound Exchange Online servers allowed to send "<LF>.<CR><LF>" sequences to inbound/receiving servers due to insufficient filtering of message data. This behavior is a violation of RFC 5322 and, as of now, was only identified for Exchange Online and GMX (see below). This vulnerability allowed smuggling spoofed e-mails from millions of domains hosted at Exchange Online (e.g., microsoft.com, github.com, tesla.com, etc.) to millions of e-mail servers running Postfix, Sendmail, Exim and possibly more.</td>
<td>Microsoft has already fixed this issue.</td>
<td>Outbound</td>
<td>-</td>
</tr>
<tr>
<td>GMX</td>
<td>As Exchange Online, GMX also allowed to send "<LF>.<CR><LF>" sequences to millions of inbound/receiving servers due to insufficient filtering of message data.</td>
<td>GMX promptly fixed this issue.</td>
<td>Outbound</td>
<td>-</td>
</tr>
<tr>
<td><b>Possibly more!</b></td>
<td>Please help us to identify more vulnerable SMTP software by using the <a href="#tools">provided tools</a>. If you're vulnerable and using software that is not already in this list, please create an issue on <a href="https://github.com/The-Login/SMTP-Smuggling-Website">GitHub</a>.</td>
<td></td>
<td></td>
<td></td>
</tr>
</table>
</div>
</div>
<div class="w3-row">
<div class="w3-twothird w3-container">
<h1 class="w3-text-black" id="unaffected-software">Unaffected Software</h1>
<p>Here is a list of software that was confirmed to be unaffected by SMTP smuggling.<br>
<b>However</b>, keep in mind that constellations with multiple SMTP servers could again introduce SMTP smuggling issues.</p>
<table class="w3-table w3-table-all">
<tr>
<th>Software</th>
<th>Description</th>
</tr>
<tr>
<td>qmail</td>
<td>Vanilla qmail was confirmed to be unaffected by SMTP smuggling.</td>
</tr>
</table>
</div>
</div>
<div class="w3-row">
<div class="w3-twothird w3-container">
<h1 class="w3-text-black" id="references">References</h1>
<table class="w3-table w3-table-all">
<tr>
<th>Resource</th>
<th>Link</th>
</tr>
<tr>
<td>Original blog post</td>
<td><a href="https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/">https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/</a></td>
</tr>
<tr>
<td>CERT/CC Vulnerability Note VU#302671</td>
<td><a href="https://www.kb.cert.org/vuls/id/302671">https://www.kb.cert.org/vuls/id/302671</a></td>
</tr>
<tr>
<td>Postfix status</td>
<td><a href="https://www.postfix.org/smtp-smuggling.html">https://www.postfix.org/smtp-smuggling.html</a></td>
</tr>
<tr>
<td>Cisco status</td>
<td><a href="https://bst.cisco.com/quickview/bug/CSCwh10142">https://bst.cisco.com/quickview/bug/CSCwh10142</a></td>
</tr>
<tr>
<td>SMTP smuggling and Exchange (DE)</td>
<td><a href="https://www.msxfaq.de/internet/smtp_smuggling_exchange.htm">https://www.msxfaq.de/internet/smtp_smuggling_exchange.htm</a></td>
</tr>
<tr>
<td>Email spoofing</td>
<td><a href="https://en.wikipedia.org/wiki/Email_spoofing">https://en.wikipedia.org/wiki/Email_spoofing</a></td>
</tr>
<tr>
<td>Talk at 37C3</td>
<td><a href="https://www.youtube.com/watch?v=V8KPV96g1To">https://www.youtube.com/watch?v=V8KPV96g1To</a></td>
</tr>
</table>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="videos">Videos</h1>
<iframe width="560" height="315" src="https://www.youtube.com/embed/V8KPV96g1To?si=UUp-lAltkckpXEOg" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="contribute">Contribute</h1>
<p>Want to make changes to this website? Great, contributions are highly appreciated! Please create issues and pull requests on <a href="https://github.com/The-Login/SMTP-Smuggling-Website">GitHub</a>.</p>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="comingsoon">Coming soon...</h1>
<p>New information, updates, tools and more coming soon!</p>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="imprint">Imprint</h1>
<p>
<b>company name</b> SEC Consult Unternehmensberatung GmbH<br>
<b>business purpose</b> IT-Dienstleistungen / Unternehmensberatung<br>
<b>VAT number</b> ATU56165223<br>
<b>tax number</b> 330 214 628<br>
<b>registration number</b> FN 227896t<br>
<b>commerical court</b> Handelsgericht Wien<br>
<b>DVR</b> 3004017<br>
<b>address</b> Wagramer Straße 19 / Stock 16 | 1220 Wien<br>
<b>eMail</b> office(at)sec-consult.com<br>
<b>phone</b> +4318903043 0 <br>
<b>web</b> www.sec-consult.com<br>
<b>membership of chamber of commerce</b> Wirtschaftskammer Wien Fachgruppe: Unternehmensberatung und Informationstechnologie<br>
<b>applicable law</b> Gewerbeordnung<br>
<b>management</b> Wolfgang Baumgartner <br>
<b>data protection officer</b> dpo-austria(at)atos.net<br>
</p>
</div>
</div>
<div class="w3-row">
<div class="w3-container">
<h1 class="w3-text-black" id="privacy">Privacy Policy</h1>
<p>This website is hosted via GitHub Pages! Please refer to GitHub's <a href="https://docs.github.com/en/site-policy/privacy-policies/github-privacy-statement">privacy statement</a> and <a href="https://docs.github.com/en/pages/getting-started-with-github-pages/about-github-pages#data-collection">data collection</a> methods.</p>
</div>
</div>
<footer id="myFooter">
<div class="w3-container w3-theme-l1">
<p>> SMTP SMUGGLING EOD</p>
</div>
</footer>
<!-- END MAIN -->
</div>
<script>
// Get the Sidebar
var mySidebar = document.getElementById("mySidebar");
// Get the DIV with overlay effect
var overlayBg = document.getElementById("myOverlay");
// Toggle between showing and hiding the sidebar, and add overlay effect
function w3_open() {
if (mySidebar.style.display === 'block') {
mySidebar.style.display = 'none';
overlayBg.style.display = "none";
} else {
mySidebar.style.display = 'block';
overlayBg.style.display = "block";
}
}
// Close the sidebar with the close button
function w3_close() {
mySidebar.style.display = "none";
overlayBg.style.display = "none";
}
</script>
</body>
</html>