An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

Execution Flow

1) Explore

[Identify Target Web-Mail Server] The adversary first identifies the web-mail server they wish to exploit.

2) Experiment

[Identify Vulnerable Parameters] Once the adversary has identified a web-mail server, they identify any vulnerable parameters by altering their values in requests. The adversary knows that the parameter is vulnerable if the web-mail server returns an error of any sort. Ideally, the adversary is looking for a descriptive error message.

Technique

• Assign a null value to a parameter being used by the web-mail server and observe the response.
• Assign a random value to a parameter being used by the web-mail server and observe the response.
• Add additional values to a parameter being used by the web-mail server and observe the response.
• Add non standard special characters (i.e.: \, ', ", @, #, !, |) to a parameter being used by the web-mail server and observe the response.
• Eliminate a parameter being used by the web-mail server and observe the response.

3) Experiment

[Determine Level of Injection] After identifying all vulnerable parameters, the adversary determines what level of injection is possible.

Technique

• Evaluate error messages to determine what IMAP/SMTP command is being executed for the vulnerable parameter. Sometimes the actually query will be placed in the error message.
• If there aren't descriptive error messages, the adversary will analyze the affected functionality to deduce the possible commands that could be being used by the mail-server.

4) Exploit

[Inject IMAP/SMTP Commands] The adversary manipulates the vulnerable parameters to inject an IMAP/SMTP command and execute it on the mail-server.

Technique

• Structure the injection as a header, body, and footer. The header contains the ending of the expected message, the body contains the injection of the new command, and the footer contains the beginning of the expected command.
• Each part of the injection payload needs to be terminated with the CRLF (%0d%0a) sequence.

Prerequisites

The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.
The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.
The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.

Resources Required

None: No specialized resources are required to execute this type of attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.

Related Weaknesses

References

REF-49

OWASP Web Security Testing Guide
https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection

Submission

Modifications