On 01.01.2024 at 20:38 Marco Moock wrote: Am 01.01.2024 um 17:58:47 Uhr schrieb Gellner, Oliver via mailop:
To exploit the issue, an email message needs to traverse two MTAs that treat the EOM marker differently. The MTAs do not need to be in a special trust relationship or allowed to relay to each other. Sorry for the second reply, but how does this work? Let’s assume we have two MTAs: One belonging to Hotmail and a second belonging to Cisco. The MTAs are completely unrelated to each other. Hotmails MTA will treat <LF>.<LF> as part of the message body whereas Ciscos MTA will see <LF>.<LF> as end-of-message (both in violation of the RFC). An attacker now signs up for an account at Hotmail and submits the following message: MAIL FROM:<realacco...@hotmail.tld> RCPT TO:<anyth...@cisco.tld> DATA From: <realacco...@hotmail.tld> To: <anyth...@cisco.tld> Some Text… <LF>.<LF> MAIL FROM:<supp...@microsoft.com> RCPT TO:<vic...@cisco.tld> BDAT length LAST From: Microsoft Support <supp...@microsoft.com> To: <vic...@cisco.tld> Subject: Phishing attack Wire me all your money asap QUIT Hotmails MTA will accept this as one message, add its usual headers and deliver it to the MX of cisco.tld. Ciscos MTA will however see an incoming connection that delivers two messages: One from realacco...@hotmail.tld, a second from supp...@microsoft.com. The second message is the smuggled message. Of course the attacker could as well send a message from supp...@microsoft.com to vic...@cisco.tld directly from his botnet, VPS or whatever, but this would get rejected by every MTA that honors the DMARC policy of microsoft.com. The smuggled message on the other hand passes the SPF and thereby DMARC checks successfully. At least for sendmail, a fix is available in the current snapshot, but the fix is just an additional feature (srv_features) that changes it it, so it only accepts CRLF. Yes, but as with Postfix the update alone does not fix the vulnerability. You have to additionally change the config as instructed. The vendors and distributions don’t do this automatically as this changes the behavior of the MTA. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 dmt...@dm.de<mailto:dmt...@dm.de> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop