Testing For IMAP SMTP Injection

Pre-requisites:  IMAP and SMTP 

IMAP/SMTP injection is basically making use of  IMAP/SMTP commands as input but making use of these commands for adding malicious purposes. It is a  serious vulnerability that can be used for various other attacks including social engineering attacks. This vulnerability affects all the web applications that use telecommunication with mail servers (IMAP/SMTP), generally webmail services. In IMAP/SMTP injection testing, we are going to check if it is possible to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.

Attack Vectors in IMAP/SMTP injection:

• Relay or SPAM
• Data leaks
• Anti-automation process evasion
• Exploiting the vulnerabilities present in the web server
• Evasion of Basic Restrictions

Testing for IMAP/SMTP injection:

• Finding all the injection points where we can inject our commands.
• Exploring and understanding the flow of data and structure of the target system.
• Tracing back the impact of the commands that are being injected.

Identify Vulnerable Parameters:

To test for the vulnerable parameters you need to send the arbitrary code in the parameter and check for the response from the application. Look out for the behavior of the application, and how it responds to different data that is being put in the parameter. In most cases, if the application is secure and has good security measures it will respond with an error message. If the application is vulnerable it will accept the arbitrary code and respond back with an HTTP 200 OK  message.

Example:

http://<webmail server>/src/read_body.php?
mailbox=INBOX&passed_id=xyz&startMessage=1

In the above request, we can check for all the possible ways to put the manipulated data into the parameter fields. We can put a null value in the mailbox parameter. for example:

http://<webmail server>/src/read_body.php?
mailbox=&passed_id=xyz&startMessage=1

We can also substitute with a random value in the mailbox parameter.

http://<webmail server>/src/read_body.php?
mailbox=XYZ&passed_id=xyz&startMessage=1

Things you can do while testing for the finding the vulnerable parameters are:

• You can eliminate the parameter
• You can add or delete the parameter
• You can add whatever you want like special characters or values.

Testing for IMAP/SMTP Command Injection:

 Once you find the vulnerable parameter, you have all the information regarding the behavior of the application for the different inputs. Now it's time for exploitation. Check out the detailed article on SMTP header injection. This article will be helpful in providing you with a better understanding of the typical structure of the IMAP/SMTP injection.

Mainly the structure of an IMAP/SMTP injection includes:

• Header
• Body
• Footer

The injection in an unauthenticated state has limited commands like CAPABILITY, NOOP, AUTHENTICATE, log in, and LOGOUT but in the authenticated state the exploitation requires the user to have privileges to test.

Let's assume that the attacker detects a vulnerable parameter with msg_id in the below request.

http://<webmail server>/read_email.php?msg_id=xyz

In this case, the IMAP injection will look like this:

http://<webmail server>/read_email.php?msg_id=xyz 
BODY[HEADER]%0d%0aV100 CAPABILITY%0d%0aV101 FETCH 4791

This will generate the following commands:

???? FETCH xyz BODY[HEADER]
V100 CAPABILITY
V101 FETCH xyz BODY[HEADER]

Impact:

• An attacker can exploit the vulnerabilities present in the mail server.
• By using this attack, the attacker can bypass the restriction through evasion techniques 
• This attack can lead to a data breach as emails are sensitive in nature.
• The attacker can spam the server with data and can disrupt the service.