Web Application Security
Whitepaper: SMTP Injection via recipient email addresses Dec 09 2015 08:20AM
Takeshi Terada (mbsdtest01 gmail com) (1 replies)
Re: Whitepaper: SMTP Injection via recipient email addresses Dec 16 2015 08:28PM
Amit Klein (aksecurity gmail com)
Dear Takeshi Terada

Thanks for sharing your paper. I'd like to draw your attention to the following:

Injection into RCPT is mentioned in
https://www.insomniasec.com/downloads/publications/Common_Application_Fl
aws.ppt
(see slides 15-16) released November 2008 (see
https://www.insomniasec.com/releases).

The general concept of injecting into SMTP commands (in this case,
into the DATA command, terminating the DATA command and escaping into
SMTP scope using a single-dot line, and composing a second, new
message using additional SMTP commands) is discussed e.g. here:
http://www.webappsec.org/projects/articles/121106.pdf (see section
3.2), released November 2006.

Best,
-Amit

On Wed, Dec 9, 2015 at 10:20 AM, Takeshi Terada <mbsdtest01 (at) gmail (dot) com [email concealed]> wrote:
> Dear all,
>
> MBSD released a whitepaper titled "SMTP Injection via recipient email
> addresses."
> http://www.mbsd.jp/Whitepaper/smtpi.pdf
>
> The paper discusses SMTP Injection attacks via malformed recipient
> email addresses in some email libraries in Ruby, Java and PHP.
>
> TOC
> 1. Introduction
> 2. How the attack works
> 3. Vulnerability examples
> 3.1. Ruby's Mail
> 3.2. JavaMail
> 3.3. PHPMailer
> 3.4. Other platforms
> 4.Further attack possibility
> 4.1. FWS Attack
> 4.2. CRLF-less attack
> 4.3. Line-breaks for SMTP servers
> 5. Sender address attack
> 6. Conclusion
>
> Best regards,
>
> --
> Takeshi Terada
> Mitsui Bussan Secure Directions, Inc.
> http://www.mbsd.jp/
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus