MITMsmtp: Pentesting SMTP Clients

With CVE-2019-5456 I found a security vulnerability in Unifi Controller which enabled an attacker to catch emails sent by the controller even if the TLS should have been enforced.

The attack was possible as the controller didn’t validate the server side certificate. Even worse the connection could be downgraded to plaintext if the server didn’t respond correctly to a TLS request.

The issue could be easily reproduced by writing a small Python SMTP server which offered a few options like password logging. Additionally I enhanced MITMsmtp for TLS and STARTTLS support and message logging. This way SMTP clients can be easily tested for such a dangerous behavior.

Ubiquiti paid a bug bounty of $1,604. Thanks for that. After I received the bounty I decided to spend some time to improve and publish MITMsmtp on GitHub. Feel free to make the world a bit less insecure and use a tool which was indirectly supported by a bug bounty.

Notify of
Inline Feedbacks
View all comments