Metodology

![[Pasted image 20240912093036.png]]

https://portswigger.net/research/splitting-the-email-atom (opens in a new tab)

A useful methodology for testing emerged during research, consisting of four steps: Probe, Observe, Encode, and Exploit. First, utilize the probes as described and observe the results in a tool like Burp Collaborator. This process is repeated until the necessary characters for the attack are identified. Once complete, the exploit can be executed. This methodology applies to both encoded-word and Punycode attacks.

For an encoded-word attack, begin by probing for "encoded-word" and observing the decoded email to confirm support. Next, encode various characters and observe how they are decoded, followed by exploiting these characters.

To observe results, Burp Collaborator was used to view SMTP interactions.

Generating email splitting attacks can be facilitated using Hackvertor tags. Hackvertor, a free Burp Suite extension, allows the use of tags in requests for performing nested conversions on data. To initiate a Unicode overflow, specific tags are used, with characters placed inside the tag for conversion:

<@_unicode_overflow(0x100,'...')>@</@_unicode_overflow>
<@_unicode_overflow_variations(0xfff,'...')>@</@_unicode_overflow_variations>
foo<@_encoded_word_encode('...')>@<@/_encoded_word_encode>example.com
<@_encoded_word_decode('...')>=41=42=43<@/_encoded_word_decode>
<@_email_utf7('...')><@/_email_utf7>
<@_email_utf7_decode('...')><@/_email_utf7_decode>
<@_encode_word_meta('iso-8859-1','...')><@/_encode_word_meta>
  • The first tag generates a single Unicode overflow, using 0x100 as the argument (256 in decimal).
  • The second tag uses the tag argument as the maximum Unicode codepoint and generates characters that overflow to the specified character.
  • The third tag performs an encoded-word conversion, such as encoding the "@" symbol.
  • The fourth tag decodes the encoded-word sequence.
  • Additional tags support the creation and decoding of UTF-7 emails and encoded-word meta characters.

To use these tags, enable "Allow code execution tags" from the Hackvertor menu, then install them via "View Tag Store."

Automating exploitation of encoded-word with Turbo Intruder

Turbo Intruder, a Burp extension by James Kettle, automates encoded-word exploitation. A Turbo Intruder script can exploit mailer vulnerabilities when encoded-word is supported and aims to test email splitting using nulls or other characters.

This script uses a list of known techniques for email splitting, identified from testing platforms like GitHub, Zendesk, GitLab, and Bugcrowd. Customization allows adapting the script to perform other attacks. To run it, update the validServer variable with the target domain, add %s where the email should be inserted in the request, then send the request to Turbo Intruder and execute the attack. If successful, a collaborator interaction should appear in Turbo Intruder, indicating that the email domain is spoofable.

In rate-limited environments, the REQUEST_SLEEP variable can be adjusted to avoid server issues. ![[Pasted image 20240913135635.png]]

General

An "email atom" is a part of the email encoding format that represents characters in a way suitable for transfer over email systems. In your example, =?utf-8?q?=41=42=43?=email@gmail.com, the string before the email address is encoded using MIME (Multipurpose Internet Mail Extensions) to handle non-ASCII characters.

Here’s a breakdown:

  • =?utf-8?q?=41=42=43?=: This is the MIME encoded portion.
    • utf-8: Specifies the character encoding (UTF-8 in this case).
    • q: Indicates quoted-printable encoding, where =41=42=43 represents the ASCII characters A, B, and C.
    • =41=42=43: This is the encoded representation of the string "ABC".

So, =?utf-8?q?=41=42=43?= translates to "ABC". The full example could be interpreted as "ABCemail@gmail.com".

![[Pasted image 20240911083053.png]]![[Pasted image 20240911083407.png]]

The BurpSuite Collaborator should be used to generate a payload, and "collab" should be replaced with the generated payload. If an SMTP interaction occurs with the email address in the RCPT TO command during the SMTP conversation, such as abccollab@psres.net, it indicates a successful interaction.

This then proves the email parser is decoding the email with "encoded word".

Blending Options

![[Pasted image 20240911085342.png]]

![[Pasted image 20240911085405.png]]![[Pasted image 20240911091720.png]]