Execution Flow
1) Explore
[Identify Target Web-Mail Server] The adversary first identifies the web-mail server they wish to exploit.
2) Experiment
[Identify Vulnerable Parameters] Once the adversary has identified a web-mail server, they identify any vulnerable parameters by altering their values in requests. The adversary knows that the parameter is vulnerable if the web-mail server returns an error of any sort. Ideally, the adversary is looking for a descriptive error message.
Technique
- Assign a null value to a parameter being used by the web-mail server and observe the response.
- Assign a random value to a parameter being used by the web-mail server and observe the response.
- Add additional values to a parameter being used by the web-mail server and observe the response.
- Add non standard special characters (i.e.: \, ', ", @, #, !, |) to a parameter being used by the web-mail server and observe the response.
- Eliminate a parameter being used by the web-mail server and observe the response.
3) Experiment
[Determine Level of Injection] After identifying all vulnerable parameters, the adversary determines what level of injection is possible.
Technique
- Evaluate error messages to determine what IMAP/SMTP command is being executed for the vulnerable parameter. Sometimes the actually query will be placed in the error message.
- If there aren't descriptive error messages, the adversary will analyze the affected functionality to deduce the possible commands that could be being used by the mail-server.
4) Exploit
[Inject IMAP/SMTP Commands] The adversary manipulates the vulnerable parameters to inject an IMAP/SMTP command and execute it on the mail-server.
Technique
- Structure the injection as a header, body, and footer. The header contains the ending of the expected message, the body contains the injection of the new command, and the footer contains the beginning of the expected command.
- Each part of the injection payload needs to be terminated with the CRLF (%0d%0a) sequence.
Prerequisites
The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.
The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.
The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.
Resources Required
None: No specialized resources are required to execute this type of attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.
Related Weaknesses
CWE-ID |
Weakness Name |
CWE-77 |
Improper Neutralization of Special Elements used in a Command ('Command Injection') The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
References
REF-49
OWASP Web Security Testing Guide
https://www.owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/10-Testing_for_IMAP_SMTP_Injection
Submission
Name |
Organization |
Date |
Date Release |
CAPEC Content Team |
The MITRE Corporation |
2014-06-23 +00:00 |
Modifications
Name |
Organization |
Date |
Comment |
CAPEC Content Team |
The MITRE Corporation |
2017-08-04 +00:00 |
Updated Resources_Required |
CAPEC Content Team |
The MITRE Corporation |
2019-04-04 +00:00 |
Updated Related_Weaknesses |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
Updated References |
CAPEC Content Team |
The MITRE Corporation |
2022-02-22 +00:00 |
Updated Description, Execution_Flow |