客观看,有序防,拒绝漏洞PUA
盛邦安全
Aggregator
基于邮箱的域名欺骗攻击(利用解析器绕过访问控制)
10 months 1 week ago
0x01 前言
每年blackhat总是会有一些新奇的攻击思路值得大家学习,在2024年blackhat的议题中发现一篇很有意思的文章,作者提出了一套基于邮箱的欺骗攻击思路,利用RFC标准中对SMTP协议中邮箱地址的特性,提供一系列绕过技巧,我们从中挑选一些实用性较高的思路分享。
0x02 邮箱欺骗
1)邮箱地址注释
在RFC2822规范中规定了邮件数据格式标准,其中3.2.3章节提到可以对消息头中的内容进行注释,邮件地址属于消息头的一部分,也支持注释,注释符是单括号。
在上面表格中的邮箱地址是属于添加了注释的邮件地址,本质上都是代表[email protected]。可以使用python的smtplib库复现了邮件发送过程中的注释功能,如下所示。
#发送邮件def send_mail(html,mails_to,title='xxxxxxx'): ret=True mails_to_old=mails_to mails_to=','.join(mails_to) try: my_sender='[email protected]' # 邮件内容 msg=MIMEText(html,'html','utf-8') # 括号里的对应发件人邮箱昵称、发件人邮箱账号 msg['From']=formataddr(["xxx",my_sender]) # 括号里的对应收件人邮箱昵称、收件人邮箱账号 msg['To'] =formataddr(["xxx",mails_to]) # 邮件的主题 msg['Subject']=title # 邮件服务器的SMTP地址 server=smtplib.SMTP_SSL("smtp.target.cn", 465) # 登录服务器,括号中对应的是发件人邮箱账号、邮箱密码 server.login(my_sender, 'yourpassword') # 发送邮件,括号中对应的是发件人邮箱账号、收件人邮箱账号、发送邮件 server.sendmail(my_sender,mails_to_old,msg.as_string()) # 关闭连接 server.quit() # 如果 try 中的语句没有执行,则会执行下面的 ret=False except Exception as e: print('发送邮件错误',e) ret=False return ret
if __name__ == '__main__': send_mail("xxxxxxx", ["zhangsan@([email protected])webray.com.cn"])
那么这样的邮件欺骗的攻击行为有什么用处呢?
恶意邮箱注册(低危)
攻击者只有一个邮件收件箱,但是通过引入不同的注释符在同一个网站注册多个账号。
认证与鉴权绕过(高危)
有的网站只允许特定域名进行注册(或者通过用户注册邮箱提取其域名信息),如果对域名数据的获取逻辑存在问题,则可能导致获取到的域名是属于注释中的域名,导致认证与鉴权绕过漏洞。
2)邮箱地址编码
在RFC2047规范中规定了邮件传输协议中邮件头的标准,规范中介绍可以使用多种不同的编码方式对邮件头的值进行编码。如下图所示。
其中=?代表编码开始的位置,utf-8代表后续的字符集类型(其它支持的类型包括utf-8、iso-8859-1等),q代表编码方式的简称(其中q代表Q-Encoding,是一种hex编码方式;b代表Base64-Encoding,是base64编码),?=代表编码结束的位置。
通过对邮件地址进行编码提供了另一种邮件地址表示方式,可以使用github的邮箱验证功能来复现这一特性。在github的settings->emails模块中,添加邮箱地址的base64编码后的值,可以在自己的邮箱正常收到github的邮件。
单纯通过对邮箱地址的用户名字段进行编码似乎并不足以产生较大的危害,其灵活性似乎还没有上面邮箱注释的方式高。而且在更多场景下,网站获取邮箱域名是直接获取的邮箱地址的末尾的域名。例如用户输入的邮箱地址是[email protected],网站会获取最后的webray.com.cn来进行校验,判断输入邮箱是否属于允许注册的域名,这样的验证无法通过上面两种方式来绕过。
为了应对上面这种场景,作者提出了一种%00截断的方式,通过邮箱编码结合%00截断可以在输入的邮箱地址末尾添加任意字符。如下图所示。
其中最关键的是在后面添加了=3e(代表右尖括号>)和%00用于截断后面的内容。其中%00可以截断后面的内容应该是属于C语言在字符遍历时的特性,这个很容易理解。前面的右尖括号是什么作用呢?这是因为在SMTP协议头中真实的目的邮箱地址是下面的方式通过左右尖括号的方式来包裹的。
在作者给出的案例中,通过这样的方式可以在github上面认证任意后缀的邮箱地址,如下图所示。
那么这样的欺骗攻击有什么用处呢?
用于欺骗钓鱼攻击(低危)
在业务系统中伪造目标内部邮箱域名后缀,增加钓鱼成功率。
绕过特定域名邮箱注册限制(高危)
有的重要系统限制了必须是特定域名的邮箱才能注册,通过这样的方式可以绕过系统注册限制。在原文中作者提到有的自建gitlab服务器会限制只允许特定域名后缀的邮箱注册,通过这种方式可以绕过限制,这也应该算是邮箱欺骗攻击的典型应用场景了。
使用github管理员权限登陆,在管理配置中配置允许注册的后缀域名。
配置之后就使用其它域名后缀的邮箱注册,则会返回禁止注册的错误。
这个时候可以通过[email protected]对gitlab邮件限制进行欺骗,绕过域名注册限制。
0x03 实网体验
基于邮件地址的域名欺骗攻击是一种新型的攻击思路,在特定场景下能产生重要的作用,但是经过笔者实际测试效果似乎并没有那么好:
大多数网站对邮件地址有格式校验,不允许在邮件地址中存在特殊字符。
我们测试了python的smtplib、php的phpmailer、java的javax.mail.jar三种语言的常见SMTP发邮件的方式,从测试结果上来看三种方式原生均不支持通过编码的方式来定义收件箱地址。原文中也并没有明确当前主流邮件服务器对编码邮件地址的支持情况。
github仅有老版本受域名欺骗攻击影响,在最新的gitlab上面进行测试,是不允许对邮箱地址进行编码的。使用编码的域名会返回邮件地址错误。
也欢迎大家在实际具体业务中多做尝试,肯定能发现其它利用的思路。
0x04 参考链接
盛邦安全
基于邮箱的域名欺骗攻击(利用解析器绕过访问控制)
10 months 1 week ago
盛邦安全
国内无线充电新规将在9月1日起施行 Qi2/MagSafe等无线充电设备将被停产
10 months 1 week ago
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry
10 months 1 week ago
Vivek Ramachandran, Founder & CEO of SquareX, at DEF CON Main Stage.
At DEF CON 32 this year, SquareX presented compelling research that revealed the shortcomings of Secure Web Gateways (SWG) in protecting the browser and demonstrated 30+ foolproof methods to bypass them. Anybody can test these bypasses against their SWG at https://browser.security/
This research has a huge impact on all SWG vendors and enterprises relying on them to secure their employees.
The talk garnered a strong response from the audience and received widespread attention on social media and in various media outlets. Numerous journalists have covered the findings, highlighting the unfixable flaws of Secure Web Gateways and sparking discussions about the efficacy of SWGs against modern web threats that enterprises are facing today.
https://medium.com/media/7c9925fcd33d9c908217928aecf2ce24/hrefhttps://medium.com/media/e9bc04d8f305c64e4b3ef891b8844c00/hrefhttps://medium.com/media/34722dfdddbab16f9f29578d3837ab3f/hrefhttps://medium.com/media/cca1255f72e4380382117e231cb2e4ed/href
- Matthew Douglas on LinkedIn: DEF CON 32: the unfixable bug that allows malware to be deployed via a...
- MarTech Cube on LinkedIn: SquareX presents at DEF CON 32, Releases Enterprise Testing Framework
There's more than 25 ways to bypass a Secure Web Gateway
CyberNews SC Media Cyber Defense MagazinePublisher's Spotlight: SquareX
Decrypted TechAre Modern Web Browsers a Blind Spot on the Threat Landscape? We talked to SquareX About It.
IT Security WireSquarex Releases New Website For Testing SWG Products
CIO Influence News Planet IndiaSquareX Exposes SWG Flaws at DEF CON 32, Calls for Change
Yahoo! Finance Cybersecurity NewsLast Mile Reassembly Attacks Bypass Leading Secure Web Gateways
Global Security MagazineSquareX Last Mile Reassembly Attack Vector - Global Security Mag Online
GTT Korea SG Business NewsSquareX Discovers New Cybersecurity Attacks Leaving Most Enterprises Vulnerable
BestGamingProDEF CON: Major Flaws Found in Supposedly 'Secure' Web Gateways
Cypherlock Daily UK News DSL Reports BU CertSecure Web Gateways are anything but as infosec hounds spot dozens of bypasses
i3 InvestorSecure Web Gateways are anything but as infosec hounds spot dozens of bypasses
Benzinga Hindustan Times US World Today World News Network AP News Advanced Financial Network Thailand Business News Morningstar Asia One Menafn StreetInsider Voice of ASEAN Ohsem News Wire OnlineSquareX Exposes Failures of Secure Web Gateways at DEF CON 32
Ani News LokmatTimes The Print Indian Economic Observer CFOtech Asia— Technology news for CFOs & financial decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
eCommerceNews Asia— Technology news for digital commerce decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
IT Brief Asia—Technology news for CIOs & IT decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
SecurityBrief Asia— Technology news for CISOs & cybersecurity decision-makers
SquareX exposes SWG flaws at DEF CON, urges browser security
IT Brief Asia— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief Asia— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife Australia— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief Australia— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief Australia— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife New Zealand— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief New Zealand— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief New Zealand— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife UK— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief UK— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief UK— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
ChannelLife India— Industry insider news for technology resellers
SquareX to reveal major browser vulnerabilities at DEF CON 32
IT Brief India— Technology news for CIOs & IT decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
SecurityBrief India— Technology news for CISOs & cybersecurity decision-makers
SquareX to reveal major browser vulnerabilities at DEF CON 32
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry appeared first on Security Boulevard.
Engineering @ SquareX
Secure Web Gateway Vulnerabilities Exposed: SquareX’s Research Stirs the Industry
10 months 1 week ago
Vivek Ramachandran, Founder & CEO of SquareX, at DEF CON Main Stage.At DEF CON 32 this year, Squar
CVE-2015-7252 | ZTE ZXHN H108N R1A prior ZTE.bhs.ZXHNH108NR1A.k_PE cgi-bin/webproc errorpage cross site scripting (EDB-38773 / BID-77421)
10 months 1 week ago
A vulnerability, which was classified as problematic, has been found in ZTE ZXHN H108N R1A. Affected by this issue is some unknown functionality of the file cgi-bin/webproc. The manipulation of the argument errorpage leads to cross site scripting.
This vulnerability is handled as CVE-2015-7252. The attack may be launched remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com
お知らせ:制御システムセキュリティカンファレンス2025講演募集(Call for Presentation)
10 months 1 week ago
ISC Stormcast For Monday, August 26th, 2024 https://isc.sans.edu/podcastdetail/9112, (Mon, Aug 26th)
10 months 1 week ago
French Police Arrest Telegram CEO and Owner
10 months 1 week ago
Pavel Durov Reportedly Detained For Complicity Over Criminal Use
French media reported Saturday the detention outside Paris of Pavel Durov, CEO and owner of social media network Telegram, reportedly for failing to take steps to curb criminal activity on the platform. The Russian Embassy in France said it has demanded an explanation from the French government.
French media reported Saturday the detention outside Paris of Pavel Durov, CEO and owner of social media network Telegram, reportedly for failing to take steps to curb criminal activity on the platform. The Russian Embassy in France said it has demanded an explanation from the French government.
ADSpider: monitor Active Directory changes in real time
10 months 1 week ago
ADSpider Tool for monitoring Active Directory changes in real-time without getting all objects. Instead, it uses replication metadata and Update Sequence Number (USN) to filter the current properties of objects. How to use git...
The post ADSpider: monitor Active Directory changes in real time appeared first on Penetration Testing Tools.
ddos
创始人被捕后Telegram称遵守欧盟法律 但平台和所有者不应对滥用行为负责
10 months 1 week ago
CVE-2024-8152 | SourceCodester QR Code Bookmark System 1.0 Parameter add-bookmark.php name/url cross site scripting
10 months 1 week ago
A vulnerability was found in SourceCodester QR Code Bookmark System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /endpoint/add-bookmark.php of the component Parameter Handler. The manipulation of the argument name/url leads to cross site scripting.
This vulnerability was named CVE-2024-8152. The attack can be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2024-8153 | SourceCodester QR Code Bookmark System 1.0 delete-bookmark.php bookmark cross site scripting
10 months 1 week ago
A vulnerability was found in SourceCodester QR Code Bookmark System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /endpoint/delete-bookmark.php. The manipulation of the argument bookmark leads to cross site scripting.
The identification of this vulnerability is CVE-2024-8153. The attack may be initiated remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2024-8154 | SourceCodester QR Code Bookmark System 1.0 Parameter update-bookmark.php tbl_bookmark_id/name/url cross site scripting
10 months 1 week ago
A vulnerability classified as problematic has been found in SourceCodester QR Code Bookmark System 1.0. Affected is an unknown function of the file /endpoint/update-bookmark.php of the component Parameter Handler. The manipulation of the argument tbl_bookmark_id/name/url leads to cross site scripting.
This vulnerability is traded as CVE-2024-8154. It is possible to launch the attack remotely. Furthermore, there is an exploit available.
vuldb.com
WinObjEx64: Windows Object Explorer 64-bit
10 months 1 week ago
WinObjEx64 WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the “Properties…” toolbar button to get more information,...
The post WinObjEx64: Windows Object Explorer 64-bit appeared first on Penetration Testing Tools.
ddos
一体化vs.模块化,谁才是SOC的未来?
10 months 1 week ago
目前还没有一个平台能满足 SOC 所有技术要求
CVE-2016-3720 | Data Format Extension on Jackson XmlMapper xml external entity reference (ID 199 / Nessus ID 91057)
10 months 1 week ago
A vulnerability was found in Data Format Extension on Jackson. It has been classified as very critical. This affects an unknown part of the component XmlMapper. The manipulation leads to xml external entity reference.
This vulnerability is uniquely identified as CVE-2016-3720. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2015-5254 | Oracle BI Publisher 11.1.1.7.0/12.2.1.1.0/12.2.1.2.0 Apache ActiveMQ input validation (Nessus ID 87410 / ID 11889)
10 months 1 week ago
A vulnerability was found in Oracle BI Publisher 11.1.1.7.0/12.2.1.1.0/12.2.1.2.0. It has been rated as very critical. Affected by this issue is some unknown functionality of the component Apache ActiveMQ. The manipulation leads to improper input validation.
This vulnerability is handled as CVE-2015-5254. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2007-1375 | PHP 5.2.1 substr_compare length integer coercion (EDB-3424 / Nessus ID 26107)
10 months 1 week ago
A vulnerability has been found in PHP 5.2.1 and classified as critical. Affected by this vulnerability is the function substr_compare. The manipulation of the argument length leads to integer coercion error.
This vulnerability is known as CVE-2007-1375. The attack can be launched remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com