Summary
The SMTP server does not handle invalid Base64 input during AUTH PLAIN and AUTH LOGIN authentication flows. A remote unauthenticated client can send syntactically accepted but semantically invalid Base64 data, causing Convert.FromBase64String to throw System.FormatException.
The exception is not converted into an SMTP authentication failure response and instead bubbles out of the session command loop, causing the session to fault and close.
Impact
- Vulnerability type: remote unauthenticated denial of service against an SMTP session
- Affected component: SMTP authentication command handling
- Attack complexity: low
- Authentication required: no
- User interaction required: no
- Scope: one connection/session per trigger
Repeated connections can repeatedly force session faults and may create excessive logs, monitoring noise, and avoidable per-session exception overhead.
Affected Code
src/SmtpServer/Protocol/AuthCommand.cs
Relevant call sites:
TryExtractFromBase64 calls Convert.FromBase64String(base64) without catching FormatException.TryLoginAsync decodes the initial LOGIN parameter with Convert.FromBase64String(Parameter) without catching FormatException.ReadBase64EncodedLineAsync decodes subsequent LOGIN lines with Convert.FromBase64String(text) without catching FormatException.
The session loop in src/SmtpServer/SmtpSession.cs only handles SmtpResponseException and OperationCanceledException. Other exceptions bubble to SmtpSessionManager, which raises SessionFaulted.
Root Cause
SmtpParser.TryMakeBase64 validates that the token consists of Base64 alphabet characters, but it does not validate Base64 length, padding, or full decodability. For example, A is accepted by the parser but rejected by Convert.FromBase64String.
The authentication command assumes parser acceptance is enough and performs unsafe Base64 decoding directly.
Expected Result
Invalid Base64 authentication data should produce an SMTP authentication failure or syntax error response, such as 535 Authentication failed, without faulting the session.
Recommended Fix
Handle Base64 decoding failures explicitly in authentication paths.
Suggested approaches:
- Replace direct
Convert.FromBase64String calls with a safe helper that catches FormatException.
- Return
false from authentication parsing when Base64 decoding fails.
- Optionally send a normal authentication failure response and keep the session under the configured authentication attempt limit.
Example direction:
static bool TryDecodeBase64(string value, out string decoded)
{
decoded = string.Empty;
try
{
decoded = Encoding.UTF8.GetString(Convert.FromBase64String(value));
return true;
}
catch (FormatException)
{
return false;
}
}Apply this pattern to AUTH PLAIN, initial AUTH LOGIN <base64>, username prompt response, and password prompt response.
Summary
The SMTP server does not handle invalid Base64 input during
AUTH PLAINandAUTH LOGINauthentication flows. A remote unauthenticated client can send syntactically accepted but semantically invalid Base64 data, causingConvert.FromBase64Stringto throwSystem.FormatException.The exception is not converted into an SMTP authentication failure response and instead bubbles out of the session command loop, causing the session to fault and close.
Impact
Repeated connections can repeatedly force session faults and may create excessive logs, monitoring noise, and avoidable per-session exception overhead.
Affected Code
src/SmtpServer/Protocol/AuthCommand.csRelevant call sites:
TryExtractFromBase64callsConvert.FromBase64String(base64)without catchingFormatException.TryLoginAsyncdecodes the initial LOGIN parameter withConvert.FromBase64String(Parameter)without catchingFormatException.ReadBase64EncodedLineAsyncdecodes subsequent LOGIN lines withConvert.FromBase64String(text)without catchingFormatException.The session loop in
src/SmtpServer/SmtpSession.csonly handlesSmtpResponseExceptionandOperationCanceledException. Other exceptions bubble toSmtpSessionManager, which raisesSessionFaulted.Root Cause
SmtpParser.TryMakeBase64validates that the token consists of Base64 alphabet characters, but it does not validate Base64 length, padding, or full decodability. For example,Ais accepted by the parser but rejected byConvert.FromBase64String.The authentication command assumes parser acceptance is enough and performs unsafe Base64 decoding directly.
Expected Result
Invalid Base64 authentication data should produce an SMTP authentication failure or syntax error response, such as
535 Authentication failed, without faulting the session.Recommended Fix
Handle Base64 decoding failures explicitly in authentication paths.
Suggested approaches:
Convert.FromBase64Stringcalls with a safe helper that catchesFormatException.falsefrom authentication parsing when Base64 decoding fails.Example direction:
Apply this pattern to
AUTH PLAIN, initialAUTH LOGIN <base64>, username prompt response, and password prompt response.