Testing for IMAP/SMTP Injection (OTG-INPVAL-011)

[Up]

Brief Summary
This threat affects all those applications that communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not properly sanitized.

Description of the Issue
The IMAP/SMTP Injection technique is more effective if the mail server is not directly accessible from Internet. Where full communication with the backend mail server is possible, it is recommended to make a direct testing.

An IMAP/SMTP Injection makes possible to access a mail server which previously did not have direct access from the Internet. In some cases, these internal systems do not have the same level of infrastructure security hardening applied to the front-end web servers: so the mail server results more exposed to successful attacks by end users (see the scheme presented in Figure 1).

Figure 1 - Communication with the mail servers using the IMAP/SMTP Injection technique.

Figure 1 depicts the flow control of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2' is the tester bypassing the webmail client and interacting with the back-end mail servers directly.

This technique allows a wide variety of actions and attacks. The possibilities depend on the type and scope of injection and the mail server technology being tested.

Some examples of attacks using the IMAP/SMTP Injection technique are:
 * Exploitation of vulnerabilities in the IMAP/SMTP protocol
 * Application restrictions evasion
 * Anti-automation process evasion
 * Information leaks
 * Relay/SPAM

Black Box testing and example
The standard attacks pattern are: Identifying vulnerable parameters
 * Identifying vulnerable parameters
 * Understanding the data flow and deployment structure of the client
 * IMAP/SMTP command injection

In order to detect vulnerable parameters requires the tester has to analyse the applications ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the server and analyse the response. In a secure developed application, the response should be an error with some corresponding action telling the client something has gone wrong. In a not secure application the malicious request may be processed by the back-end application that will answer with a "HTTP 200 OK" response message.

It is important to notice that the requests being sent should match the technology being tested. Sending SQL injection strings for Microsoft SQL server when a MySQL server is being used will result in false positive responses. In this case, sending malicious IMAP commands is modus operandi since IMAP is the underlying protocol being tested.

IMAP special parameters that should be used are:

In this testing example, the "mailbox" parameter is being tested by manipulating all requests with the parameter in: http:// /src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1 The following examples can be used. http:// /src/read_body.php?mailbox=&passed_id=46106&startMessage=1 http:// /src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1 http:// /src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1 http:// /src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1 http:// /src/read_body.php?passed_id=46106&startMessage=1
 * Left the parameter with a null value:
 * Substitute the value with a random value:
 * Add other values to the parameter:
 * Add non standard special characters (i.e.: \, ', ", @, #, !, |):
 * Eliminate the parameter:

The final result of the above testing gives the tester three possible situations: S1 - The application returns a error code/message S2 - The application does not return an error code/message, but it does not realize the requested operation S3 - The application does not return an error code/message and realizes the operation requested normally

Situations S1 and S2 represent sucessful IMAP/SMTP injection.

An attacker's aim is receiving the S1 response as its an indicator that the application is vulnerable to injection and further manipulation.

Let's suppose that a user visualizes the email headers across the following HTTP request: http:// /src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0

An attacker might modify the value of the parameter INBOX by injecting the character " (%22 using URL encoding): http:// /src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0

In this case the application answer will be: ERROR: Bad or malformed request. Query: SELECT "INBOX"" Server responded: Unexpected extra arguments to Select

S2 is a harder testing technique to sucessfully execute. The tester needs to use blind command injection in order to determine if the server is vulnerable.

On the other hand, the last scene (S3) does not have relevancy in this paragraph. Result Expected: Understanding the data flow and deployment structure of the client
 * List of vulnerable parameters
 * Affected functionality
 * Type of possible injection (IMAP/SMTP)

After having identifying all vulnerable parameters (for example, "passed_id"), the tester needs to determine what level of injection is possible and then draw up a testing plan to further exploit the application.

In this test case, we have detected that the application's "passed_id" is vulnerable and used in the following request: http:// /src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1

Using the following test case (to use an alphabetical value when a numerical value is required): http:// /src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1

will generate the following error message: ERROR : Bad or malformed request. Query: FETCH test:test BODY[HEADER] Server responded: Error in IMAP command received by server.

In the previous example, the other error message returned the name of the executed command and the associate parameters.

In other situations, the error message ("not controlled" by the application) contains the name of the executed command, but reading the suitable RFC (see "Reference" paragraph) allows the tester understand what other possible commands can be executed.

If the application does not return descriptive error messages, the tester needs to analyze the affected functionality to understand possible deduce all possible commands (and parameters) associated with the above mentioned functionality. For example, if the detection of the vulnerable parameter has been realized trying to create a mailbox, it turns out logical to think that the IMAP command affected will be "CREATE" and, according to the RFC, it contains a only parameter which value corresponds to the mailbox name that is expected to create. Result Expected: IMAP/SMTP command injection
 * List of IMAP/SMTP commands affected
 * Type, value and number of parameters waited by the affected IMAP/SMTP commands

Once the tester has identified vulnerable parameters and has analyzed the context in which it is executed, the next stage is exploiting the functionality.

This stage has two possible outcomes: 1. The injection is possible in an unauthenticated state: the affected functionality does not require the user to be authenticated. The injected (IMAP) commands available are limited to: CAPABILITY, NOOP, AUTHENTICATE, LOGIN and LOGOUT. 2. The injection is only possible in an authenticated state: the sucessful exploitation requires the user to be fully authentication before testing can continue

In any case, the typical structure of an IMAP/SMTP Injection is as follows:
 * Header: ending of the expected command;
 * Body: injection of the new command;
 * Footer: beginning of the expected command.

It is important to state that in order to execute the IMAP/SMTP command, the previous one must have finished with the CRLF (%0d%0a) sequence. Let's suppose that in the stage 1 ("Identifying vulnerable parameters"), the attacker detects the parameter "message_id" of the following request as a vulnerable parameter: http:// /read_email.php?message_id=4791

Let's suppose also that the outcome of the analysis performed in the stage 2 ("Understanding the data flow and deployment structure of the client ") has identified the command and arguments associated with this parameter: FETCH 4791 BODY[HEADER]

In this scene, the IMAP injection structure would be: http:// /read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791

Which would generate the following commands: ???? FETCH 4791 BODY[HEADER] V100 CAPABILITY V101 FETCH 4791 BODY[HEADER]

where: Header = 4791 BODY[HEADER] Body  = %0d%0aV100 CAPABILITY%0d%0a Footer = V101 FETCH 4791 Result Expected:
 * Arbitrary IMAP/SMTP command injection