Home
Add Document
Sign In
Create An Account
SMTP Injection via recipient email addresses
Recommend Documents
No documents
SMTP Injection via recipient email addresses
Download PDF
17 downloads
194 Views
505KB Size
Report
Comment
Dec 17, 2015 - This paper first describes the attack mechanism and then explains some vulnerability examples in email li
MBSD Technical Whitepaper
SMTP Injection via recipient email addresses
Takeshi Terada / Mitsui Bussan Secure Directions, Inc. December 2015
Table of Contents 1.
Introduction .......................................................................................................... 1
2.
How the attack works .......................................................................................... 2
3.
Vulnerability examples ........................................................................................ 4
4.
3.1.
Ruby’s Mail ................................................................................................................... 4
3.2.
JavaMail ....................................................................................................................... 4
3.3.
PHPMailer .................................................................................................................... 5
3.4.
Other platforms ............................................................................................................ 8
Further attack possibility .................................................................................... 9 4.1.
FWS Attack .................................................................................................................. 9
4.2.
CRLF-less attack........................................................................................................ 10
4.3.
Line-breaks for SMTP servers .................................................................................. 11
5.
Sender address attack ........................................................................................ 12
6.
Conclusion .......................................................................................................... 13
7.
References........................................................................................................... 14
8.
About us.............................................................................................................. 15
1. Introduction SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the @mbsd.jp
The resulting SMTP transaction is as follows:
MBSD Technical Whitepaper
©2015 Mitsui Bussan Secure Directions, Inc. All rights reserved.
4
6: 7: 8.1: 8.2: 8.3: 8.4: 8.5: 8.6: 8.7: 9: 10: 11: 12: 13: 14:
MAIL FROM:↵ 250 2.1.0 Ok↵ RCPT TO:
×
Report "SMTP Injection via recipient email addresses"
Your name
Email
Reason
-Select Reason-
Pornographic
Defamatory
Illegal/Unlawful
Spam
Other Terms Of Service Violation
File a copyright complaint
Description
×
Sign In
Email
Password
Remember me
Forgot password?
Sign In
Our partners will collect data and use cookies for ad personalization and measurement.
Learn how we and our ad partner Google, collect and use data
.
Agree & close