Hello and welcome to the Tuesday, December 19th, 2020,

edition of the Sands and it's Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Starting today with an interesting blog post by SAC consult that was looking into SMTP smuggling.

And I have to say I was surprised in part not that the vulnerability exists, but that

nobody really has discovered it earlier.

Maybe someone has, at least I don't remember having seen it.

The problem here is similar to HTTP smuggling, which is a well-known vulnerability

and, well, sort of borrowed its name here for SMTP smuggling. The problem with HTTP smuggling

is where you have conflicting headers as to how long an request is, and then if you have multiple

requests in the same TCP connection,

well, middleware like a proxy or so could get confused about where one request starts

and the next one ends.

The problem here with SMTP smuggling is actually a little bit simpler.

In SMTP, we don't have these conflicting length headers.

Instead, each email is terminated with a dot on the line by itself.

The problem here is, and actually that's also something that sometimes comes up in HTTP,

that typically end of the line

means carriage return line feed but well sometimes just a line feed is used to indicate

the end of the line and the beginning of the next line and that's sort of where mail servers differ,

where some mail servers apparently are taking the line feed by itself as sufficient,

while others only look for the combination of carriage return and line feed.

...