加雷斯·海耶斯_分裂邮件原子利用解析器绕过访问控制.pdf

《加雷斯·海耶斯_分裂邮件原子利用解析器绕过访问控制.pdf》由会员分享，可在线阅读，更多相关《加雷斯·海耶斯_分裂邮件原子利用解析器绕过访问控制.pdf（61页珍藏版）》请在三个皮匠报告上搜索。

1、Splitting The Email AtomExploiting Parsers To Bypass Access ControlsGARETH HEYESOutlineWhy email address parser discrepancies matterThe shaky foundationParser discrepancies-Unicode overflows-Encoded-word-PunycodeMethodology/ToolingDefenceTakeawaysADD FUNKY STARS1.2.3.4.5.6.Why email address parser d

2、iscrepancies matterPredicting an email destination is extremely difficultThe shaky foundationRFC2822RFC“features”Quoted local- foo Quoted C(bar)foo(bar)(bar) The wrong questionWhich email is valid?#$&*+/=?_|-%(!#$&*+/=?_|-#$&*+/=?_|-%(Results in email to:#$&*+/=?_|-Which email domain does it go to?!

3、#$&*+/=?_|-Results in email to:#$&*+/=?_|- Separated by commas Final destination declared using colonSource ,:The percent hack foo%foo UUCP(Unix To Unix Copy)Early protocol before the internet Separates host and user part with exclamation mark Called the bang path Opposite order to an email !userArc

4、haic protocols back from the deadTreated as a source route(Postfix 3.6.4)Treated as UUCP(Sendmail 8.15.2)!foo foo%(UUCP/source route discovery processThe targets special characters:a-z0-9!#$%&*+/=?_|.-+a-z0-9-+(.a-z0-9-+)*!#$%&*+/=?_|-UUCP/source route discovery processUUCP/source route discovery OR

5、CPT=test;DEF CON Bonus slide:SMTP parameters in P!collab(DEF CON Bonus slide:More surprising email parsingcollab%127.0.0.1DEF CON Bonus slide:More surprising email parsingUnicode overflowsPHP chr()function generates characters 0 x00-0 x100/0-255How unicode overflows workwhile($bytevalue 0)$bytevalue

6、+=256;$bytevalue%=256;Generating an unicode overflowReal world unicode overflowsTakeaway:Smuggle characters using unicode overflows to bypass validationEncoded-wordHow encoded-word works Probing for encoded-wordEncoded-word case studiesExploiting Gitlab Enterprise servers with encoded spacesImpact:G