Wednesday, June 19, 2019

SMTP Injection

Introduction



In an SMTP command injection attack, the input entered by the user is directly sent into the mail server without proper sanitation of the inputs. Thus an attacker can send SMTP commands which will be sent to the back-end mail server where it will be queried by the web-mail server and the commands will be executed.


Impact



SMTP Command Injection can be used to add unauthorized recipients and send messages without the knowledge of the authorized person. This injection can also be used to create an entirely new message where an attacker can control the headers as well. An attacker can send a large number of messages or can send phishing emails where the receiver believes that the message is being originated from a trusted source.

Where to test?



Every parameter that is passed to an email related function in an application should be tested properly. Parameters that may appear unrelated should also be tested.

Use the following link for vulnerable SMTP Injection code written in php.

How to test?


  • Navigate to the form as shown in Exhibit 1.


Exhibit 1
  • Fill the details as shown in Exhibit 2. 
Exhibit 2


  • Intercept the request using burp suite and enter the payload in email_from as “mario%40mari0.com%0a%0dRCPT%20TO:%20testsmtp@mari0.com” and submit the request.
Exhibit 3


  • The response from the server tells the email has been sent. Check the root mail to see if the mail has been received by the owner as shown in the below exhibit.


Exhibit 4


  • Let us now look at the testsmtp mail id to see if the mail was sent to testsmtp user as well. The below exhibit shows that the mail has been sent to testsmtp@mari0.com.
Exhibit 5


Remediation



SMTP Injection could involve validating user’s input to not allow any newline characters in the input causing another SMTP header to be created. The best practice to prevent the application from SMTP Injection is to whitelist the allowed characters for use in SMTP headers. In a secure environment, if a malicious data is inserted, the response should be an error with some corresponding action telling the client that something has gone wrong.


References


https://github.com/RihaMaheshwari/SMTP-Injection
https://www.tecmint.com/setup-postfix-mail-server-in-ubuntu-debian/