Pre-requisites: IMAP and SMTP
IMAP/SMTP injection is basically making use of IMAP/SMTP commands as input but making use of these commands for adding malicious purposes. It is a serious vulnerability that can be used for various other attacks including social engineering attacks. This vulnerability affects all the web applications that use telecommunication with mail servers (IMAP/SMTP), generally webmail services. In IMAP/SMTP injection testing, we are going to check if it is possible to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
Attack Vectors in IMAP/SMTP injection:
- Relay or SPAM
- Data leaks
- Anti-automation process evasion
- Exploiting the vulnerabilities present in the web server
- Evasion of Basic Restrictions
Testing for IMAP/SMTP injection:
- Finding all the injection points where we can inject our commands.
- Exploring and understanding the flow of data and structure of the target system.
- Tracing back the impact of the commands that are being injected.
Identify Vulnerable Parameters:
To test for the vulnerable parameters you need to send the arbitrary code in the parameter and check for the response from the application. Look out for the behavior of the application, and how it responds to different data that is being put in the parameter. In most cases, if the application is secure and has good security measures it will respond with an error message. If the application is vulnerable it will accept the arbitrary code and respond back with an HTTP 200 OK message.
Example:
http://<webmail server>/src/read_body.php? mailbox=INBOX&passed_id=xyz&startMessage=1
In
the above request, we can check for all the possible ways to put the
manipulated data into the parameter fields. We can put a null value in
the mailbox parameter. for example:http://<webmail server>/src/read_body.php?
mailbox=&passed_id=xyz&startMessage=1
We can also substitute with a random value in the mailbox parameter.
http://<webmail server>/src/read_body.php? mailbox=XYZ&passed_id=xyz&startMessage=1
Things you can do while testing for the finding the vulnerable parameters are:
- You can eliminate the parameter
- You can add or delete the parameter
- You can add whatever you want like special characters or values.
Testing for IMAP/SMTP Command Injection:
Once you find the vulnerable parameter, you have all the information regarding the behavior of the application for the different inputs. Now it’s time for exploitation. Check out the detailed article on SMTP header injection. This article will be helpful in providing you with a better understanding of the typical structure of the IMAP/SMTP injection.
Mainly the structure of an IMAP/SMTP injection includes:
- Header
- Body
- Footer
The injection in an unauthenticated state has limited commands like CAPABILITY, NOOP, AUTHENTICATE, log in, and LOGOUT but in the authenticated state the exploitation requires the user to have privileges to test.
Let’s assume that the attacker detects a vulnerable parameter with msg_id in the below request.
http://<webmail server>/read_email.php?msg_id=xyz
In this case, the IMAP injection will look like this:
http://<webmail server>/read_email.php?msg_id=xyz BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791
This will generate the following commands:
???? FETCH xyz BODY[HEADER] V100 CAPABILITY V101 FETCH xyz BODY[HEADER]
Impact:
- An attacker can exploit the vulnerabilities present in the mail server.
- By using this attack, the attacker can bypass the restriction through evasion techniques
- This attack can lead to a data breach as emails are sensitive in nature.
- The attacker can spam the server with data and can disrupt the service.