Damion Brown's Blog

D97A 07F3 DCB1 302D

Failing authorization to an SMTP Relay: An Implication of Innocent Web Design


  • Mon 11 September 2017
  • Debug

tl;dr: Maximum character limits in Konica Minolta BizHub c284 configuration web gui results in API key being unknowingly truncated.


We had a printer that was refusing to work with SendGrid SMTP Relaying.

It was easy enough to telnet smtp.sendgrid.net on port 25, start a plaintext authentication and successfully authenticate to the relay using base64 encoded API keys. Replicating the same settings on the printer constantly resulted in error messages featuring an extraordinarily low level of verbosity. "Deleted Due To Error."

image0

You see that "2543"? It seems fair to assume that clicking it would give more information. Nope.

image1

Thanks Konica.

Moving right along, our network has the wonderful capability of performing a live man-in-the-middle (MITM) esque packet capture (on the LAN or WAN interface). What's to see?

image2 "535 Authentication failed: The provided authorization grant is invalid, expired, or revoked"

That's more or less the smoking gun right there. We can confirm this by base64 encoding the actual API key and comparing it to the one transmitted above.

image3

We can see the packet capture ends with "ZGFiVA==" and the control end with "ZGFiVHFNZzVz". Base64 is encoding not encryption so it's correct that the string is being truncated somewhere before it gets transmitted by the printer. The simplest answer is often the correct one - HTML input fields often set an upper limit on text entry.

image4

Easy. Modified the value and hoped the printer accepted longer passwords than the webGUI allowed for (it did, thank god).

Ran another scan, checked the packet capture:

image5

Damn. All of this would have taken significantly less time had the error message provided by the printer's interface been more descriptive than that of an engine light.

NB: Back up here in SMTP 535, the printer gracefully closes the connection. This didn't happen after a delay either, the printer recognized an error occurred and closed the connection: still did not report the verbose and key error message.

image6