Difference between revisions of "Testing for IMAP/SMTP Injection (OWASP-DV-011)"

From OWASP
Jump to: navigation, search
(Description of the Issue)
(Black Box testing and example)
Line 26: Line 26:
  
 
== Black Box testing and example ==
 
== Black Box testing and example ==
Usually the main steps of the attack pattern are the following:
+
The standard attack pattern is as follows:
 
* Identifying vulnerable parameters
 
* Identifying vulnerable parameters
* To understand the scope of operation
+
* Understanding the data flow and deployment structure of the client
 
* IMAP/SMTP command injection
 
* IMAP/SMTP command injection
 
<br>
 
<br>
 
'''Identifying vulnerable parameters'''
 
'''Identifying vulnerable parameters'''
 
----
 
----
To detect a vulnerable parameter implies analyzing all the input data to the application. This analysis will consist, as it happens in similar injections, in probing abuse cases (doing requests with no expected values by the application) and analyzing both the response and the behavior of the application.
+
In oreder to detect vulnerable parameters requires the tester to analyse the applications ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the client and analyse the response. In a securely developed application, the response should be that of a error with some corresponding action telling the client something has gone wrong, in a insecure application the malicious request may be processed by the back-end application and met with a HTTP 200 OK response message.
  
In this case, the auditor/attacker possesses additional information: the input data susceptible of being vulnerable will be all those used in the communication with the mail servers. Depending on the protocol in which the vulnerable parameter is used, we will speak about IMAP Injection (attacks to the IMAP protocol) or SMTP Injection (attacks to the SMTP protocol).
+
It is important to state that the requests being sent should match the technology being tested. Sending SQL injection strings for Microsoft SQL server when a MySQL server is being used will result in false positive responses. In this case, sending malicious IMAP commands is modus operandi since IMAP is the underlying protocol being tested.  
  
The parameters on which it is necessary to give special attention are those used in the following operations:
+
IMAP special parameters that should be used are:
 
{| border=1
 
{| border=1
 
  || '''On the IMAP server''' || '''On the SMTP server'''
 
  || '''On the IMAP server''' || '''On the SMTP server'''
Line 55: Line 55:
 
|}
 
|}
  
Since it has been mentioned previously, on each of the parameters related to these operations must be analyzed the abuse cases.
 
 
   
 
   
Let's suppose that one wants to analyze the parameter "mailbox" of the following request:
+
In this testing example, the "mailbox" parameter is being tested by manipulating all requests with the parameter in:
 
<pre>
 
<pre>
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1
 
</pre>
 
</pre>
The following examples can be used with this aim.
+
The following examples can be used.
 
* Left the parameter with a null value:<br>
 
* Left the parameter with a null value:<br>
 
<pre>
 
<pre>
Line 74: Line 73:
 
http://<webmail>/src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1
 
http://<webmail>/src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1
 
</pre>
 
</pre>
* Add other non usual characters (i.e.: \, ', ", @, #, !, |):<br>
+
* Add non standard special characters (i.e.: \, ', ", @, #, !, |):<br>
 
<pre>
 
<pre>
 
http://<webmail>/src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1
 
http://<webmail>/src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1
 
</pre>
 
</pre>
* To eliminate the parameter:<br>
+
* Eliminate the parameter:<br>
 
<pre>
 
<pre>
 
http://<webmail>/src/read_body.php?passed_id=46106&startMessage=1
 
http://<webmail>/src/read_body.php?passed_id=46106&startMessage=1
 
</pre>
 
</pre>
  
As result of a abuse case, we can meet three situations: <br>
+
The end result of the above testing gives the tester three possible situations: <br>
 
S1 - The application returns a error code/message <br>
 
S1 - The application returns a error code/message <br>
 
S2 - The application does not return a error code/message, but it does not realize the requested operation <br>
 
S2 - The application does not return a error code/message, but it does not realize the requested operation <br>
 
S3 - The application does not return a error code/message and realizes the operation requested with normality <br>
 
S3 - The application does not return a error code/message and realizes the operation requested with normality <br>
  
The scenes S1 and S2 represent situations in which the IMAP/SMTP Injection technique can haver had success.
+
Situations S1 and S2 represent sucessful IMAP/SMTP injection.
  
From the point of view of an attacker the S1 is the wished situation because the own error message allows him to detect easily the vulnerable parameter, and to know closely the context in which the above mentioned parameter is executed.
+
An attacker's aim is receiving the S1 response as its an indicator that the application is vulnerable to injection and further manipulation
  
For example, let's suppose that the query on the email headers generates the next request:
+
Another testing technique is to manipulate the email headers:
 
<pre>
 
<pre>
 
http://<webmail>/src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0
 
http://<webmail>/src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0
 
</pre>
 
</pre>
  
An attacker might modify the value of the parameter INBOX injecting the character " (%22 using URL encoding):
+
An attacker might modify the value of the parameter INBOX by injecting the character " (%22 using URL encoding):
 
<pre>
 
<pre>
 
http://<webmail>/src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0
 
http://<webmail>/src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0
 
</pre>
 
</pre>
  
Obtaining the following response of the application:
+
In which the application responds:
 
<pre>
 
<pre>
 
ERROR: Bad or malformed request.
 
ERROR: Bad or malformed request.
Line 109: Line 108:
 
</pre>
 
</pre>
  
The scene S2 is a particular case of the IMAP/SMTP Injection technique. In this case, the attacker will have to realize an command injection blindly (Blind IMAP/SMTP Injection).
+
S2 is a harder testing technique to sucessfully execute. The tester needs to use blind command injection in order to determine if the server is vulnerable
  
 
On the other hand, the last scene (S3) does not have relevancy in this paragraph.
 
On the other hand, the last scene (S3) does not have relevancy in this paragraph.
Line 120: Line 119:
 
'''To understand the scope of operation'''
 
'''To understand the scope of operation'''
 
----
 
----
After having identified a vulnerable parameter (for example, "passed_id"), the affected functionality (for example, reading of emails) and the type of possible injection (for example, IMAP Injection), the next step before the commands injection consists of understanding the context in which the vulnerable parameter is executed.
+
After having identifying all vulnerable parameters (for example, "passed_id"), the tester needs to determine what level of injection is possible and then draw up a testing plan to further exploit the application.
  
If the application returns error messages, to identify the attacked command can turn out an easy task.
 
  
Let's suppose that as result of the previous phase, we have detected the vulnerable parameter "passed_id" used in the following request:
+
In this test case, we have detected that the application's "passed_id" is vulnerable and used in the following request:
 
<pre>
 
<pre>
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1
 
</pre>
 
</pre>
  
and using the following abuse case (to use an alphabetical value when a numerical value is waited):
+
Using the following test case (to use an alphabetical value when a numerical value is required):
 
<pre>
 
<pre>
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1
 
http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1
 
</pre>
 
</pre>
  
generates the following error message:
+
will generate the following error message:
 
<pre>
 
<pre>
 
ERROR : Bad or malformed request.
 
ERROR : Bad or malformed request.
Line 141: Line 139:
 
</pre>
 
</pre>
  
In the previous example, the own error message has returned the name of the executed command and the associate parameters.
+
In the previous example, the other error message returned the name of the executed command and the associate parameters.
  
In other occasions, the error message ("not controlled" by the application) only it contains the name of the executed command, but a reading to the suitable RFC (see "Reference" paragraph) allows to deduce the rest of information that we expect to obtain as result of this phase.
+
In other occasions, the error message ("not controlled" by the application) contains the name of the executed command, but reading the suitable RFC (see "Reference" paragraph) allows the tester understand what other possible commands can be executed.
  
If the application does not return sufficiently descriptive error messages, the attacker will have to analyze the affected functionality to deduce the possible commands (and parameters) associated with the above mentioned functionality. For example, if the detection of the vulnerable parameter has been realized trying to create a mailbox, it turns out logical to think that the IMAP command affected will be "CREATE" and, according to the RFC, it contains a only parameter which value corresponds to the mailbox name that is expected to create.
+
If the application does not return descriptive error messages, the tester needs to analyze the affected functionality to understand possible deduce all possible commands (and parameters) associated with the above mentioned functionality. For example, if the detection of the vulnerable parameter has been realized trying to create a mailbox, it turns out logical to think that the IMAP command affected will be "CREATE" and, according to the RFC, it contains a only parameter which value corresponds to the mailbox name that is expected to create.
 
<br><br>
 
<br><br>
 
'''Result Expected:'''<br>
 
'''Result Expected:'''<br>
Line 153: Line 151:
 
'''IMAP/SMTP command injection'''
 
'''IMAP/SMTP command injection'''
 
----
 
----
When the attacker has identified a vulnerable parameter and has analyzed the context in which it is executed, he is in disposition to materialize his attack.
+
Once the tester has identified vulnerable parameters and has analyzed the context in which it is executed, the next stage is exploiting functionality.
  
In this point, we can meet two scenes:<br>
+
This stage has two possible outcomes:<br>
1. The injection is possible in an not authenticated state: the affected functionality does not need that the user has been authenticated before, that is to say, is in a public zone of the application. In this case, the possible injected (IMAP) commands are limited to: CAPABILITY, NOOP, AUTHENTICATE, LOGIN and LOGOUT.<br>  
+
1. The injection is possible in an unauthenticated state: the affected functionality does not require the user to be authenticated. The injected (IMAP) commands available are limited to: CAPABILITY, NOOP, AUTHENTICATE, LOGIN and LOGOUT.<br>  
2. The injection is possible in an authenticated state: the exploitation of this vulnerability needs that the user has authentication credentials to accede to the affected functionality.
+
2. The injection is only possible in an authenticated state: the sucessful exploitation requires the user to be fully authentication before testing can continue
  
In any case, the typical structure of an IMAP/SMTP Injection is the following one:
+
In any case, the typical structure of an IMAP/SMTP Injection is as follows:
 
* Header: ending of the expected command;
 
* Header: ending of the expected command;
 
* Body: injection of the new command;
 
* Body: injection of the new command;
 
* Footer: beginning of the expected command.
 
* Footer: beginning of the expected command.
  
At this moment is necessary to remember that in order that a IMAP/SMTP command is executed, the previous one must have finished with the CRLF (%0d%0a) sequence. Let's see an example.
+
It is important to state that in order to execute the IMAP/SMTP command, the previous one must have finished with the CRLF (%0d%0a) sequence.  
 
+
 
Let's suppose that in the stage 1 ("Identifying vulnerable parameters"), the attacker detects the parameter "message_id" of the following request as a vulnerable parameter:
 
Let's suppose that in the stage 1 ("Identifying vulnerable parameters"), the attacker detects the parameter "message_id" of the following request as a vulnerable parameter:
 
<pre>
 
<pre>
Line 171: Line 168:
 
</pre>
 
</pre>
  
Let's suppose also that the analysis realized in the stage 2 ("To understand the scope of operation") has allowed to identify the command and arguments associated with this parameter:
+
Let's suppose also that the outcome of the analysis performed in the stage 2 ("Understanding the data flow and deployment structure of the client
 +
") has identified the command and arguments associated with this parameter:
 
<pre>
 
<pre>
 
FETCH 4791 BODY[HEADER]
 
FETCH 4791 BODY[HEADER]
 
</pre>
 
</pre>
  
In this scene, the IMAP injection structure would be the following one:
+
In this scene, the IMAP injection structure would be:
 
<pre>
 
<pre>
 
http://<webmail>/read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791
 
http://<webmail>/read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791
 
</pre>
 
</pre>
  
What would generate the execution of the following commands:
+
Which would generate the following commands:
 
<pre>
 
<pre>
 
???? FETCH 4791 BODY[HEADER]
 
???? FETCH 4791 BODY[HEADER]

Revision as of 06:28, 6 November 2006

OWASP Testing Guide v2 Table of Contents

Contents


Brief Summary

This threat affect all those applications that they communicate with mail servers (IMAP/SMTP), generally webmail applications. The aim of this test is to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers with that one communicates the web application, due to input data that they have not been sanitized correctly.

Description of the Issue

The IMAP/SMTP Injection technique is more effective if the mail servers, in which the webmail application uses to communicate, are not directly accessible from Internet. In cases where full communication with the backend servers is possible, it is recommended that direct testing be completed.

Using this testing technique it becomes available to test servers which previously did not have direct internet access. In some cases, these internal systems do not have the same level of infrastructure security hardening applied as the front-end web servers, and therefore are more open to attack by attackers and users (see the scheme presented in Figure 1).

Imap-smtp-injection.png Figure 1 - Communication with the mail servers using the IMAP/SMTP Injection technique.

Figure 1 depicts the flow control of traffic generally seen when using webmail technologies. Step 1 and 2 is the user interacting with the webmail client, whereas step 2' is the attacker bypassing the webmail client and interacting with the back-end mail servers directly.

Using this technique allows a wide variety of actions and attacks. The possibilities depend on the type and scope of injection and the mail server technology being attacked.

Some examples of attacks using the IMAP/SMTP Injection technique are:

  • Exploitation of vulnerabilities in the IMAP/SMTP protocol
  • Application restrictions evasion
  • Anti-automation process evasion
  • Information leaks
  • Relay/SPAM

Black Box testing and example

The standard attack pattern is as follows:

  • Identifying vulnerable parameters
  • Understanding the data flow and deployment structure of the client
  • IMAP/SMTP command injection


Identifying vulnerable parameters


In oreder to detect vulnerable parameters requires the tester to analyse the applications ability in handling input. Input validation testing requires the tester to send bogus, or malicious, requests to the client and analyse the response. In a securely developed application, the response should be that of a error with some corresponding action telling the client something has gone wrong, in a insecure application the malicious request may be processed by the back-end application and met with a HTTP 200 OK response message.

It is important to state that the requests being sent should match the technology being tested. Sending SQL injection strings for Microsoft SQL server when a MySQL server is being used will result in false positive responses. In this case, sending malicious IMAP commands is modus operandi since IMAP is the underlying protocol being tested.

IMAP special parameters that should be used are:

On the IMAP server On the SMTP server
Authentication Emissor e-mail
operations with mail boxes (list, read, create, delete, rename) Destination e-mail
operations with messages (read, copy, move, delete) Subject
Disconnection Message body
Attached files


In this testing example, the "mailbox" parameter is being tested by manipulating all requests with the parameter in:

http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46106&startMessage=1

The following examples can be used.

  • Left the parameter with a null value:
http://<webmail>/src/read_body.php?mailbox=&passed_id=46106&startMessage=1
  • Substitute the value with a random value:
http://<webmail>/src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1
  • Add other values to the parameter:
http://<webmail>/src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1
  • Add non standard special characters (i.e.: \, ', ", @, #, !, |):
http://<webmail>/src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1
  • Eliminate the parameter:
http://<webmail>/src/read_body.php?passed_id=46106&startMessage=1

The end result of the above testing gives the tester three possible situations:
S1 - The application returns a error code/message
S2 - The application does not return a error code/message, but it does not realize the requested operation
S3 - The application does not return a error code/message and realizes the operation requested with normality

Situations S1 and S2 represent sucessful IMAP/SMTP injection.

An attacker's aim is receiving the S1 response as its an indicator that the application is vulnerable to injection and further manipulation

Another testing technique is to manipulate the email headers:

http://<webmail>/src/view_header.php?mailbox=INBOX&passed_id=46105&passed_ent_id=0

An attacker might modify the value of the parameter INBOX by injecting the character " (%22 using URL encoding):

http://<webmail>/src/view_header.php?mailbox=INBOX%22&passed_id=46105&passed_ent_id=0

In which the application responds:

ERROR: Bad or malformed request.
Query: SELECT "INBOX""
Server responded: Unexpected extra arguments to Select

S2 is a harder testing technique to sucessfully execute. The tester needs to use blind command injection in order to determine if the server is vulnerable

On the other hand, the last scene (S3) does not have relevancy in this paragraph.

Result Expected:

  • List of vulnerable parameters
  • Affected functionality
  • Type of possible injection (IMAP/SMTP)


To understand the scope of operation


After having identifying all vulnerable parameters (for example, "passed_id"), the tester needs to determine what level of injection is possible and then draw up a testing plan to further exploit the application.


In this test case, we have detected that the application's "passed_id" is vulnerable and used in the following request:

http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=46225&startMessage=1

Using the following test case (to use an alphabetical value when a numerical value is required):

http://<webmail>/src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1

will generate the following error message:

ERROR : Bad or malformed request.
Query: FETCH test:test BODY[HEADER]
Server responded: Error in IMAP command received by server.

In the previous example, the other error message returned the name of the executed command and the associate parameters.

In other occasions, the error message ("not controlled" by the application) contains the name of the executed command, but reading the suitable RFC (see "Reference" paragraph) allows the tester understand what other possible commands can be executed.

If the application does not return descriptive error messages, the tester needs to analyze the affected functionality to understand possible deduce all possible commands (and parameters) associated with the above mentioned functionality. For example, if the detection of the vulnerable parameter has been realized trying to create a mailbox, it turns out logical to think that the IMAP command affected will be "CREATE" and, according to the RFC, it contains a only parameter which value corresponds to the mailbox name that is expected to create.

Result Expected:

  • List of IMAP/SMTP commands affected
  • Type, value and number of parameters waited by the affected IMAP/SMTP commands


IMAP/SMTP command injection


Once the tester has identified vulnerable parameters and has analyzed the context in which it is executed, the next stage is exploiting functionality.

This stage has two possible outcomes:
1. The injection is possible in an unauthenticated state: the affected functionality does not require the user to be authenticated. The injected (IMAP) commands available are limited to: CAPABILITY, NOOP, AUTHENTICATE, LOGIN and LOGOUT.
2. The injection is only possible in an authenticated state: the sucessful exploitation requires the user to be fully authentication before testing can continue

In any case, the typical structure of an IMAP/SMTP Injection is as follows:

  • Header: ending of the expected command;
  • Body: injection of the new command;
  • Footer: beginning of the expected command.

It is important to state that in order to execute the IMAP/SMTP command, the previous one must have finished with the CRLF (%0d%0a) sequence. Let's suppose that in the stage 1 ("Identifying vulnerable parameters"), the attacker detects the parameter "message_id" of the following request as a vulnerable parameter:

http://<webmail>/read_email.php?message_id=4791

Let's suppose also that the outcome of the analysis performed in the stage 2 ("Understanding the data flow and deployment structure of the client ") has identified the command and arguments associated with this parameter:

FETCH 4791 BODY[HEADER]

In this scene, the IMAP injection structure would be:

http://<webmail>/read_email.php?message_id=4791 BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791

Which would generate the following commands:

???? FETCH 4791 BODY[HEADER]
V100 CAPABILITY
V101 FETCH 4791 BODY[HEADER]


Result Expected:

  • Arbitrary IMAP/SMTP command injection


Gray Box testing and example

Testing for Topic X vulnerabilities:
...
Result Expected:
...

References

Whitepapers
...
Tools
...


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents OWASP Testing Guide v2 Table of Contents

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.