Web Application Security
Re: Whitepaper: SMTP Injection via recipient email addresses Dec 18 2015 03:13AM
Takeshi Terada (mbsdtest01 gmail com) (1 replies)
Dear Amit Klein and all,

Thanks for letting me know previous researches.
I was not aware of Insomnia's paper mentioning injection to RCPT.
I added the links to the works you mentioned to the paper.
Revised version is available at the same URL:
http://www.mbsd.jp/Whitepaper/smtpi.pdf
I really appreciate your feedback.

Regards,
Takeshi Terada

2015-12-17 5:27 GMT+09:00 Amit Klein <aksecurity (at) gmail (dot) com [email concealed]>:
> Dear Takeshi Terada
>
> Thanks for sharing your paper. I'd like to draw your attention to the
> following:
>
> Injection into RCPT is mentioned in
> https://www.insomniasec.com/downloads/publications/Common_Application_Fl
aws.ppt
> (see slides 15-16) released November 2008 (see
> https://www.insomniasec.com/releases).
>
> The general concept of injecting into SMTP commands (in this case, into the
> DATA command, terminating the DATA command and escaping into SMTP scope
> using a single-dot line, and composing a second, new message using
> additional SMTP commands) is discussed e.g. here:
> http://www.webappsec.org/projects/articles/121106.pdf (see section 3.2),
> released November 2006.
>
> Best,
> -Amit
>
>
> On Wed, Dec 9, 2015 at 10:20 AM, Takeshi Terada <mbsdtest01 (at) gmail (dot) com [email concealed]>
> wrote:
>>
>> Dear all,
>>
>> MBSD released a whitepaper titled "SMTP Injection via recipient email
>> addresses."
>> http://www.mbsd.jp/Whitepaper/smtpi.pdf
>>
>> The paper discusses SMTP Injection attacks via malformed recipient
>> email addresses in some email libraries in Ruby, Java and PHP.
>>
>> TOC
>> 1. Introduction
>> 2. How the attack works
>> 3. Vulnerability examples
>> 3.1. Ruby's Mail
>> 3.2. JavaMail
>> 3.3. PHPMailer
>> 3.4. Other platforms
>> 4.Further attack possibility
>> 4.1. FWS Attack
>> 4.2. CRLF-less attack
>> 4.3. Line-breaks for SMTP servers
>> 5. Sender address attack
>> 6. Conclusion
>>
>> Best regards,
>>
>> --
>> Takeshi Terada
>> Mitsui Bussan Secure Directions, Inc.
>> http://www.mbsd.jp/
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>

--
Takeshi Terada
Mitsui Bussan Secure Directions, Inc.
http://www.mbsd.jp/

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Whitepaper: SMTP Injection via recipient email addresses Dec 18 2015 05:34AM
Amit Klein (aksecurity gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus