{“lastseen”:”2025-12-29T22:25:46″,”description”:”## Executive Summary\\nA critical security vulnerability has been identified in `libcurl`’s SMTP protocol handler. The vulnerability allows for **SMTP Command Smuggling** and **Protocol Desynchronization** by injecting CRLF sequences into email address fields. This can be exploited to bypass security controls, forge emails, and smuggle arbitrary commands into the SMTP stream.\\n\\n## Vulnerability Details\\n\\n**1. Root Cause: Insufficient Input Validation**\\nThe function `smtp_parse_address` in `lib\/smtp.c` is responsible for parsing email addresses for options like `CURLOPT_MAIL_FROM`, `CURLOPT_MAIL_RCPT`, and `CURLOPT_MAIL_AUTH`. \\n\\nUnlike other parts of the SMTP handler (e.g., custom requests), this function does **not** use Curl_urldecode with `REJECT_CTRL` and does not perform any validation for control characters. It allows `\\\\r\\\\n` to pass through into the `suffix` component, which is later concatenated into raw protocol commands sent via Curl_pp_sendf.\\n\\n**2. Protocol Desynchronization (Response Smuggling)**\\nThe vulnerability is amplified by a failure in the SMTP state machine to detect \\”extra\\” responses from the server.\\n\\n`libcurl` uses a \\”pingpong\\” mechanism `lib\/pingpong.c` where it sends one command and waits for one response. If an attacker injects multiple commands (e.g., `MAIL FROM:\\u003caddr\\u003e\\\\r\\\\nQUIT`), the server sends multiple responses.\\n\\n**Code-Level Evidence (lib\/smtp.c):**\\n- **VULNERABLE**: The handlers for `MAIL`, `RCPT`, and `DATA` responses (lines 1152, 1173, 1233) **fail to check** the `pp.overflow` flag. They read the first response and proceed to the next state, leaving the injected responses in the buffer to be consumed as the \\”result\\” of subsequent legitimate commands.\\n- **PROTECTED**: The `STARTTLS` handler (line 930) correctly implements this check:\\n “`c\\n if(smtpc-\\u003epp.overflow)\\n return CURLE_WEIRD_SERVER_REPLY;\\n “`\\nThe absence of this check in core mail-sending states allows an attacker to desynchronize the client-server state, causing curl to misinterpret the success or failure of later commands based on injected responses.\\n\\n## Proof of Concept (PoC)\\n\\n{F5166562}\\n{F5166563}\\n\\n### Reproduction Steps\\n\\n### Step 1: Start the Mock SMTP Server\\nRun the following command in a terminal to start the mock server. This server logs every command received and highlights when it processes smuggled instructions.\\n{F5166566}\\n\\n“`\\npython3 smtp_repro.py\\n“`\\n\\n### Step 2: Run the Exploit Command\\nIn a **different** terminal, run the following curl command. We use a specially crafted `–mail-from` that includes a smuggled `RCPT TO` and `DATA` block.\\n\\n“`bash\\ncurl -v smtp:\/\/localhost:2525 \\\\\\n –mail-from $’\\u003cattacker@example.com\\u003e\\\\r\\\\nRCPT TO:\\u003cvictim@internal.trust\\u003e\\\\r\\\\nDATA\\\\r\\\\nSubject: Smuggled!\\\\r\\\\n\\\\r\\\\nThis email bypasses legitimate recipient lists!\\\\r\\\\n.\\\\r\\\\n’ \\\\\\n –mail-rcpt \\”legit@example.com\\” \\\\\\n –upload-file \/dev\/null\\n“`\\n\\n### Step 3: Observe the Desynchronization\\n\\n### Server-Side Output (Terminal 1)\\nThe Python server will show that it received a single block of data but interpreted it as **multiple independent SMTP commands**:\\n“`text\\n[!] Received Data Block (potentially containing multiple commands):\\n [C-\\u003eS] MAIL FROM:\\u003cattacker@example.com\\u003e\\n [C-\\u003eS] RCPT TO:\\u003cvictim@internal.trust\\u003e\\n [C-\\u003eS] DATA\\n [C-\\u003eS] Subject: Smuggled!\\n…\\n[!] EXPLOIT: Server is executing SMUGGLED command: RCPT TO:\\u003cvictim@internal.trust\\u003e\\n[!] EXPLOIT: Server is entering SMUGGLED DATA phase\\n“`\\n\\n### Protocol Desynchronization Proof\\nWatch the final lines of the server log:\\n1. curl sends its \\”legitimate\\” `RCPT TO:\\u003clegit@example.com\\u003e`.\\n2. curl reads the next available bytes from the socket.\\n3. Due to the injection, the **next response** in the socket is the `354` or `250` for the *injected* commands.\\n4. curl treats this smuggled response as the validation for `legit@example.com`.\\n\\n**Actual `curl -v` Impact**:\\ncurl logs will report that it successfully sent the mail to `legit@example.com`, but in reality, the response it verified was for the smuggled recipient `victim@trust.internal`. The legitimate email might even fail, yet curl could report success if the injected commands were crafted to align with the expected response codes.\\n\\n## Recommendations\\n1. **Implement `REJECT_CTRL`**: Update smtp_parse_address `curl-master\/lib\/smtp.c#1825-1906` to reject control characters.\\n2. **Universal Overflow Enforcement**: Add `pp.overflow` validation to all SMTP state response handlers (MAIL, RCPT, DATA, VRFY, EXPN) to ensure client-server state synchronization.\\n\\n## Impact\\n\\n- **Email Fraud\/Spoofing**: Forge sender addresses and inject arbitrary headers.\\n- **Unauthorized Distribution**: Send emails to undisclosed recipients by smuggling `RCPT TO` commands.\\n- **Protocol Smuggling**: Use `curl-master\/lib\/urlapi.c#1271-1277` as an SSRF proxy to tunnel commands into internal SMTP relays.”,”published”:”2025-12-29T17:23:17″,”modified”:”2025-12-29T21:28:54″,”type”:”hackerone”,”title”:”curl: SMTP CRLF Injection \\u0026 Protocol Desynchronization in libcurl”,”source”:””,”references”:””,”id”:”H1:3481595″,”bulletinFamily”:”bugbounty”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/hackerone.com\/reports\/3481595″,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-29T22:25:46″,”description”:”## Executive Summary\\nA critical security vulnerability has been identified in `libcurl`’s SMTP protocol handler. The vulnerability allows for **SMTP Command Smuggling** and **Protocol Desynchronization** by…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,117,13,33,7,11,5],"class_list":["post-33186","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-hackerone","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n