SMTP Smuggling Banner
Mazuva mashoma apfuura, SEC Consult vaongorori vakaratidza, kuburikidza ne blog post, ruzivo nezve nzira itsva yekurwisa inonzi SMTP Smuggling, izvo zvinogona kubvumira kutumira maemail enhema anodarika nzira dzekusimbisa.
Zvinonzi kurwisa unyanzvi inotarisa SMTP Protocol, umo munhu anorwisa anogona kushandisa zvisina kunaka misiyano nenzira inobuda uye inouya maseva eSMTP anodudzira kutevedzana kunoratidza kupera kwemeseji data.
Nezve SMTP Smuggling
SMTP Smuggling inzira nyowani iyo inobvumira kupatsanura meseji kuita mameseji akati wandei kana yatumirwa neSMTP server yepakutanga kune imwe SMTP server, iyo inodudzira kutevedzana kwakasiyana kuparadzanisa mavara anofambiswa pamusoro pekubatanidza.
Ichi inobvumira jekiseni remirairo yeSMTP mumameseji eemail nenzira inoita kuti maseva anogashira avabate semeseji mbiri dzakasiyana, imwe ine mamwe misoro: “Ku: recipient@domain.com”, “Kubva: sender@domain.com”, “Nyaya: Muenzaniso wenyaya”, inoteverwa. neboka chairo reshoko racho.
Pamusoro pezvo, nekuti iyo huru meseji hamvuropu inobudirira kupasa cheki chekuchengetedza seSPF, DKIM, uye DMARC, meseji yekunyepa inounzwa kumabhokisi asina yambiro.
"SMTP Smuggling inyanzvi yeemail spoofing nzira inobvumira vanorwisa kutumira maemail nemakero emanyepo ekutumira (e.g. ceo@microsoft.com) kutevedzera mumwe munhu," Longin anoudza Kuverenga Kwakasviba. "Panowanzove nekumwe kudzikisira mumaemail masisitimu ekudzikamisa kurwiswa kwakadaro, asi nemaitiro matsva, email yakashata ichaunzwa."
Kurwiswa kutsva, kunonzi SMTP smuggling, Yakagadzirwa naTimo Longin, mukuru wezvekuchengetedza chipangamazano paSEC Consult. Longin akakwereta pfungwa huru kubva imwe kirasi yekurwisa inozivikanwa se HTTP chikumbiro chekubiridzira, uko vanorwisa vanonyengerera kumberi-yekupedzisira mutoro unoremedza kana kudzosera proxy kuendesa mberi zvakagadzirirwa zvikumbiro kune yekumashure-yekupedzisira application server nenzira iyo iyo yekumashure-yekupedzisira server inoibata sezvikumbiro zviviri zvakasiyana pane chimwe .
Kubva pane izvi, SMTP Smuggling inotora mukana wekuti maseva eSMTP anodudzira kupera kweiyo data rwizi zvakasiyana, izvo zvinogona kuita kuti tsamba imwe ipatsanurwe kuita akati wandei mukati mechikamu chimwe chete paSMTP server.
Iyi nhevedzano inogona kuteverwa nemirairo yekutumira imwe meseji pasina kutyora kubatana. Mamwe maseva eSMTP anonyatso kutevedzera zvakanyorerwa, asi mamwe, kuti ave nechokwadi chekuenderana nevamwe vasina kujairika email vatengi.
Kurwiswa kwacho kunosvika pakuti tsamba inotumirwa kune yekutanga sevha, iyo inongogadzirisa chete delimiter "\r\n.\r\n", mumuviri mune imwe delimiter, semuenzaniso, "\ r.\r », inoteverwa nemirairo inotumira meseji yechipiri. Sezvo sevha yekutanga ichinyatsotevera zvakatemwa, inobata tambo yakagamuchirwa setsamba imwe chete.
Kana tsamba yacho ikatumirwa kune sevha yekufambisa kana sevha yekugamuchira iyo inogamuchirawo kutevedzana "\ r.\ r" semupatsanuri, inogadziriswa semavara maviri anotumirwa zvakasiyana (tsamba yechipiri inogona kutumirwa pachinzvimbo che mushandisi asina kutenderwa kuburikidza ne "AUTH LOGIN", asi inoita seyakarurama padivi remugamuchiri).
Izvo zvinotaurwa kuti Dambudziko rakatogadziriswa mune zvazvino mavhezheni ePostfix umo configuration «smtpd_forbid_unauth_pipelining", izvo zvinoita kuti kubatanidza kutadze kana delimiters ikasatevedzera RFC 2920 neRFC 5321.
Mukuwedzera, iyo configuration yakawedzerwa smtpd_forbid_bare_newline, yakaremara nekusingaperi, iyo inorambidza kushandiswa kwemutsara wekudyisa mavara ("\n") kuparadzanisa mitsetse pasina kudzoka. Uyezve yakawedzera parameter smtpd_forbid_bare_newline_exclusions, izvo zvinokutendera kuti uvhare kurambidzwa kwe "\n" tsigiro yevatengi pane network yemuno.
Kudivi reSendmail, inopa 'kana' sarudzo yekudzivirira kubva mukurwiswa mune srv_features, iyo inobvumira kugadzirisa chete kutevedzana "\ r\n.\r\n".
Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo Mune inotevera chinongedzo.