IMAP/SMTP Injection

OWASP 2013-A1 OWASP 2017-A1 OWASP PC-C4 CAPEC-183 CWE-77 WSTG-INPV-10

MX injection is an injection technique that is similar to other injection techniques like SQL injection, XPath injection, SSI injection and many more. An application that has a mail server that is not accessible directly to the internet is vulnerable to this attack. If the attacker gets access to the port number at which the mail server is running, he can access the mail server directly. This injection attack can be exploited on applications that communicate with a mail server. A vulnerable server will allow injection of IMAP or SMTP commands to the mail servers through webmail application. The MX injection is possible due to improper validation of user-supplied data. For an application to be vulnerable to MX injection, there are many factors like the type, scope of injection and mail server technology and many more.

Example

The following example shows a step by step method to attack an application vulnerable to MX injection.

        http://example.beaglesecurity.com/src/read_body.php?mailbox=&passed_id=46106&startMessage=1                 #send null value
        http://example.beaglesecurity.com/src/read_body.php?mailbox=NOTEXIST&passed_id=46106&startMessage=1         #substitute it with random value
        http://example.beaglesecurity.com/src/read_body.php?mailbox=INBOX PARAMETER2&passed_id=46106&startMessage=1 #Add values to other parameters
        http://example.beaglesecurity.com/src/read_body.php?mailbox=INBOX"&passed_id=46106&startMessage=1           #Add non-standard special characters
        http://example.beaglesecurity.com/src/read_body.php?passed_id=46106&startMessage=1                          #Eliminate the parameter

    

Impact

This vulnerability can have the following impacts:-

  • Exploitation of vulnerabilities in the mail protocol.
  • Application restrictions evasion. Using this attack, the attacker can bypass restrictions applied on the server.
  • Data Breach: The attacker can access sensitive information about the application.
  • Spamming: Through this attack, the attacker can spam all the users of the mail server.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • All input data used by the application must be sanitised. Delete any character that could have malicious intentions.
  • Use the application firewall with better protection systems. The firewall must contain a rule to prevent MX injection code.

Related Articles