New Video from @BlackHatOfficialYT Explores Email Parsing Vulnerabilities

In this video, the presenter explores vulnerabilities related to email address parsing, highlighting the complexities and security flaws that can arise. He begins by emphasizing the importance of email addresses in access controls, particularly for platforms like Slack and Cloudflare Zero Trust, which use email domains to apply access restrictions. However, predicting the destination of an email from its address is extremely complex, even for addresses compliant with RFC (Request for Comments), the documents governing Internet standards. The presenter then delves into the historical and technical foundations of email addresses, explaining the different parts of an address and the special characters allowed. He provides concrete examples where seemingly valid email addresses can be routed to unexpected destinations due to specific behaviors of mail servers like Postfix and Sendmail. These behaviors include techniques like "source routing" and the "percent hack," which allow manipulation of the email's final destination. A significant portion of the video is dedicated to "Unicode overflows," a technique for generating ASCII characters from higher Unicode characters. The presenter demonstrates how these overflows can be used to bypass validations and insert forbidden characters into SMTP conversations. He also explores "encoded words," a method for including Unicode characters in email addresses, and shows how this technique can be exploited to manipulate email addresses and bypass access controls. The presenter shares several real-world case studies where these vulnerabilities have been exploited. For example, he shows how he bypassed email domain-based access restrictions in popular applications like GitLab, GitHub, and ZenDesk. He details the methods used, including the use of encoded characters and null characters to manipulate email addresses and deceive validation systems. The video also covers "Punycode" attacks, a method of representing Unicode characters in the DNS system. The presenter explains how he exploited a PHP library to generate malicious characters and achieve remote code execution (RCE) on an application called Jumer. He demonstrates how, using "import chaining" techniques and an exfiltrated CSS server, he extracted authentication tokens and gained administrative access. In conclusion, the presenter shares his methodology for automating the exploitation of these vulnerabilities and offers defensive advice. He recommends filtering or disabling "encoded words," always verifying email addresses before use, and not relying solely on email domains for authorization. He also mentions tools he developed to facilitate exploiting these flaws, such as Hackvertor and Turbo Intruder, as well as a Punycode fuzzer. Finally, the presenter emphasizes the importance of not relying solely on email domains for access controls, as even valid addresses can be manipulated to bypass these controls. He invites viewers to practice their email security skills by participating in a CTF (Capture The Flag) he created and to try the attacks on a vulnerable version of Jumer available on GitHub. For more information, watch the full video at the following address: https://www.youtube.com/watch?v=Uky45wwqsO4