diff --git a/src/network-services-pentesting/pentesting-smtp/README.md b/src/network-services-pentesting/pentesting-smtp/README.md index 600870e34b3..f892542b649 100644 --- a/src/network-services-pentesting/pentesting-smtp/README.md +++ b/src/network-services-pentesting/pentesting-smtp/README.md @@ -275,6 +275,38 @@ SMTP Smuggling vulnerability allowed to bypass all the SMTP protections (check t smtp-smuggling.md {{#endref}} + +## Exim STARTTLS + BDAT callback desync (GnuTLS UAF) + +A useful **Exim-specific exploitation surface** is the interaction between **`STARTTLS`**, **`BDAT`/`CHUNKING`**, and the TLS backend when Exim is compiled against **GnuTLS**. The interesting technique is **not the CVE itself**, but the bug class: + +- A higher-level parser (**BDAT**) **pushes/wraps** the active `receive_*` callbacks and saves the old ones in a lower callback row. +- The lower layer (**TLS**) is later **torn down** after `gnutls_record_recv() == 0` / TLS EOF. +- Teardown restores only the **top-level** callbacks, but the **saved lower-layer callbacks remain stale**. +- A later parser repair path still calls `ungetc()` through that stale row and writes into a **freed TLS buffer**. + +### Why this matters for attackers + +This creates a very practical checklist when reviewing SMTP daemons and other protocol parsers: + +1. **Look for modal parser stacking** (`DATA`/`BDAT`, compression, TLS, chunked reads, content filters). +2. **Check teardown symmetry**: if one layer pops or resets only the active callbacks/vtable, stale saved callbacks may still reference destroyed state. +3. **Audit repair paths** such as `ungetc()`, line-ending fixups, pushback buffers, or end-of-message normalization; these often become the actual write primitive after a lower layer dies. +4. **Check for fallback after close**: if a TLS/backend read error frees state and then falls back to plaintext I/O, the outer parser may keep running long enough to turn a lifetime bug into exploitation. + +### Exim-specific shape + +In Exim's `BDAT` path, `bdat_push_receive_functions()` stores the current lower layer (`tls_getc`, `tls_getbuf`, `tls_ungetc`, etc.) and replaces the active row with BDAT wrappers. If a **TLS EOF** happens while the body is still being read, `tls_close()` frees the TLS plaintext transfer buffer but BDAT can still hold **stale lower-layer pointers** to `tls_*`. Later, end-of-data line-ending repair calls `bdat_ungetc('\n')` or `bdat_ungetc('\r')`, which can reach `tls_ungetc()` and perform a **1-byte write** into the **freed** TLS buffer. + +The primitive is constrained (newline or carriage return), but the offset is influenced by the TLS low-water mark. This is a classic [use-after-free](../../binary-exploitation/libc-heap/use-after-free/README.md) situation where even a single-byte post-free write may be enough to corrupt heap metadata or steer later heap reuse. + +### Triage / hunting notes + +- During **`EHLO`**, check whether the server advertises **`STARTTLS`** and **`CHUNKING`** (`BDAT`). +- Prioritize **Exim + GnuTLS** targets where **unauthenticated SMTP sessions** can reach `STARTTLS` and then send `BDAT`. +- When studying exploitation potential, look for **post-free allocation windows** in mail-processing features (filters, DKIM, MIME parsing, AV hooks, canonicalization) that can **reclaim or shape** the freed chunk before the stale callback fires. +- This bug family is a good reminder that **protocol state-machine bugs can expose heap primitives**, so SMTP review should include both protocol desync and memory-lifetime analysis. + ## Mail Spoofing Countermeasures Organizations are prevented from having unauthorized email sent on their behalf by employing **SPF**, **DKIM**, and **DMARC** due to the ease of spoofing SMTP messages. @@ -685,6 +717,8 @@ submit.cf ## References +- [XBOW – Dead.Letter (CVE-2026-45185): How XBOW Found an Unauthenticated RCE on Exim](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim) +- [RFC 3030 – SMTP Service Extensions for Transmission of Large and Binary MIME Messages](https://datatracker.ietf.org/doc/html/rfc3030) - [https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/](https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/) - [https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/](https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/) - [0xdf – HTB/VulnLab JobTwo: Word VBA macro phishing via SMTP → hMailServer credential decryption → Veeam CVE-2023-27532 to SYSTEM](https://0xdf.gitlab.io/2026/01/27/htb-jobtwo.html)