Hello Cyberman! How are you? I hope you fine. This article subject email injection. I a lot of see it in bug bounty program. And I said “What I don’t write blog post this subject?”. And you know be a long time don’t wrote blog post.
I finished it this mission. And I ready again blog post! I gave a lot of sample information in the category called “Web vulnerabilities”. Click to review.
You need know about SMTP. If you don’t know and if you say “What is smtp?”, I give you a little info this subject.
What Is SMTP?
The abbreviation SMTP stands for Simple Mail Transfer Protocol. Simple Mail Transfer Protocol has a function like the IP address, that is, the Internet Protocol, that indicates the location when providing an internet connection. SMTP refers to the two-end transmission system that enables the transfer of e-mails sent over the internet. Thanks to this system, messages are stored on the computer from which they are sent and on the computer to which the message will be sent. The protocol on the computer where the messages are sent in this transfer process is the SMTP protocol.
Here’s what they say about SMTP on Wikipedia:
The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP (which replaced the older POP3) is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync. If you want detail info: “https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol“
If you say “How to work SMTP” please review this address: “https://www.fool.com/the-ascent/small-business/email-marketing/articles/smtp-service/“
What is SMTP Structure and How Does It Work?
The first crucial SMTP concept is the difference between the envelope and the email body. The envelope is the initial part of the communication and is defined by the SMTP protocol itself. The following commands make up the envelope:
- MAIL FROM: Sets the envelope sender.
- RCPT TO: Sets the envelope recipient. This command can be used multiple times if you are sending a message to multiple addresses.
- DATA: Begins the email payload, which consists of email headers and the message body, separated by a single empty line. The message is terminated by sending a line that contains a period (.) only.
The email headers are not part of the SMTP protocol. They are interpreted by mail clients (to display the email correctly) and by dedicated email libraries available in various programming languages. The two most common headers are:
- From: This header sets the visible sender, which can be a different address than set using the MAIL FROM command. In most email clients, the sender information obtained from the MAIL FROM command is placed in the Return-Path header, which is hidden by default from the user.
- To: This header sets the visible recipient, which can differ from the address set using RCPT TO. In most email clients, the recipient information from the RCPT TO command is placed in the Delivered-To header, which is hidden by default from the user.
How To Work Email Injection?
Email Injection attack is also used in the header field in the structure of SMTP.
While sending an e-mail in an e-mail sending area or in any other e-mail sending area on the application, some information is received from the user. These:
- User name
Email injection works by inserting newline characters into user input. If the input is not sanitized, a malicious hacker can add email headers or modify the body of the message.
The values received from the user when sending an e-mail may be as follows:
POST /contact.php HTTP/1.1
Above is the process of sending the values received via a POST method to the server.
The attacker inserts a newline (a line feed – \n on most UNIX and Linux systems, and a carriage return and a line feed – \r\n on Windows systems) and appends a BCC header that containing additional email addresses. The email library converts these addresses into RCPT TO commands and delivers the email to them in addition to the intended recipient. The attacker could use such tactics to send large numbers of messages anonymously. They may also send phishing emails where the recipient believes that these messages are originating from a trusted source.
While this vulnerability is not limited to the PHP mail command, some email libraries are naturally resistant to it. For example, the SMTPLIB in Python is resistant because SMTP.sendmail() needs you to specify an explicit list of recipients. If the attacker adds headers, it will only change the way that the email appears.Quoted from this address: acunetix.com
If the attacker edits this POST process as follows:
POST /contact.php HTTP/1.1
name=Best Product\r\nbcc: firstname.lastname@example.org&replyToemail@example.com&message=Buy my product!
After editing the post method above, the result will be as follows. He will also send the e-mail to “firstname.lastname@example.org” and will be able to carry out a social engineering attack by editing the message information in the sent e-mail. “\r”, “\n”, “bcc” tags allow new header information to be entered on a new line when interpreted within the “string”, that is, textual value, that comes when sending an e-mail.
The attacker inserts a newline (\r\n –carriage return and line feed, CRLF) and appends a BCC header containing additional email addresses. The email library converts these addresses into RCPT TO commands and delivers the message not only to the intended recipient but also to these extra addresses. This attack also involves spoofing a replyTo header to make the recipient believe the email came from someone else (email@example.com).
What Can Be Done With Email Injection Attack?
A licensed e-mail is sent from a server, but the content of the sent e-mail or the recipient can be changed and an additional recipient can be added…
The attacker can then mainly do the following:
The most common email injection attack vectors include
Quated from this address: “https://www.invicti.com/learn/email-injection/“
- Spam: A malicious user could use email injection to send spam messages. One line of code with a successful email injection could allow them to force the victim’s email server to send multiple emails with the same content to many recipients.
- Phishing: An attacker could send phishing email messages that appear to originate from the victim’s mail server, domain, and IP. As such, the attacker would be untraceable, and the blame would lie with the victim. If the victim’s application also has a cross-site scripting (XSS) vulnerability and the links in the phishing email point to this vulnerable application, the email appears even more legitimate.
- Spear phishing: Going a step further, attackers could send legitimate-looking spear-phishing email messages to selected employees at the company that runs the vulnerable application. For example, they could send the financial department a convincing email that appears to come from the CFO and urgently asks for a large bank transfer to the attacker’s account.
It is not possible to detect this vulnerability directly. This vulnerability can only be controlled by capturing and editing method actions such as GET/POST in BurpSuite. If you test the work done in the “POST” method above on the system and it works, this means there is a vulnerability.
Have a nice day with lots of informatics. 🙂