{"id":16651,"date":"2017-02-25T12:15:40","date_gmt":"2017-02-25T18:15:40","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=16651"},"modified":"2017-03-03T16:15:28","modified_gmt":"2017-03-03T22:15:28","slug":"smtp-over-xxe-%e2%88%92-how-to-send-emails-using-javas-xml-parser","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=16651","title":{"rendered":"SMTP over XXE \u2212 how to send emails using Java&#8217;s XML parser"},"content":{"rendered":"<blockquote><p>The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. <a href=\"https:\/\/www.ietf.org\/rfc\/rfc959.txt\">RFC 959<\/a> specifies that a username may consist of a sequence of any of the 128 ASCII characters except <code class=\"highlighter-rouge\">&lt;CR&gt;<\/code> and <code class=\"highlighter-rouge\">&lt;LF&gt;<\/code>. Guess what the JRE implementers forgot? Exactly \u2212 to check for the presence of <code class=\"highlighter-rouge\">&lt;CR&gt;<\/code> or <code class=\"highlighter-rouge\">&lt;LF&gt;<\/code>. This means that if we put <code class=\"highlighter-rouge\">%0D%0A<\/code> anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.<\/p><\/blockquote>\n<p>Source: <em><a href=\"https:\/\/shiftordie.de\/blog\/2017\/02\/18\/smtp-over-xxe\/\">SMTP over XXE \u2212 how to send emails using Java&#8217;s XML parser &#8211; shift or die<\/a><\/em><\/p>\n<blockquote><p>So, if we send a <code class=\"highlighter-rouge\">USER<\/code> command to a mail server instead of a FTP server, it will answer with an error code (since <code class=\"highlighter-rouge\">USER<\/code> is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except &lt;CR&gt; and &lt;LF&gt;. &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=16651\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110],"tags":[1125,1268,698,622],"class_list":["post-16651","post","type-post","status-publish","format-standard","hentry","category-networking","tag-exploit-vector","tag-ftp","tag-security-research","tag-smtp"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/16651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16651"}],"version-history":[{"count":2,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/16651\/revisions"}],"predecessor-version":[{"id":16666,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/16651\/revisions\/16666"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16651"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}