15

I have an application where a code scanner has identified CRLF injection possibilities in some classes related to email generation.

I understand how CRLF injection could be used against me on URL-based attacks, but google has been kinda silent on threats coming from email. Are we concerned with injecting different addresses in SMTP conversations like this:

http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_transport_example

?

Or something else?

avgvstvs
  • 940
  • 1
  • 7
  • 19
  • Do you have a specific reference id from your code scanner? – Eric G Mar 25 '14 at 15:57
  • Multiple hits. And I'm security-minded, I'm just trying to decide what the threat basis is in the first place. I can't see how I'd want to exploit this for nefarious ends. – avgvstvs Mar 25 '14 at 16:04

2 Answers2

12

Depending on how your application creates the actual RAW email request, it may be possible to insert line feeds to modify the recipients, CC, BCC etc.

Check out this example:

In this context, the target is to be able to send anonymous emails to other recipients. There are numerous additional fields that can be specified in the mail headers (see [ RFC 822 ]). For example 'Cc' (Carbon Copy), which sends a copy of the message to the email addresses given as arguments. A better choice is to use the 'Bcc' (Blind Carbon Copy) which sends a carbon copy of the message just like with the 'Cc' header, except that the recipiends email addresses given as arguments are not shown to the multiple recipients' headers. As specified in the [ RFC 822 ], one must add a line feed for every header. The (line feed) char has a hexadecimal value of 0x0A.

  Sender: "sender@anonymous.www%0ACc:recipient@someothersite.xxx%0ABcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx"

  Subject: ahem
  Message: "My Message"

will result in

 To: recipient@victim.xxx 
 Subject: ahem
 From: sender@anonymous.xxx
 Cc:recipient@someothersite.xxx
 Bcc:somebloke@grrrr.xxx,someotherbloke@oooops.xxx

 My Message...

Also, check out some OWASP Guidance, and some examples under CWE-93.

Eric G
  • 9,691
  • 4
  • 31
  • 58
8

Here is an example of a PHP mail-generating script that is vulnerable to a CRLF-injection attack. In essence, the problematic code was:

$email=$_POST['email'];
$headers="From: {$email}\r\nReply-To: {$email}"; //create headers
mail('opps@example.com',$subject,$content,$headers); //mails it

In that case, a poorly designed PHP API was difficult to use correctly. As a result, a web-based contact form could be used to send arbitrary spam, if an attacker made a POST request whose email parameter ended with a CRLFCC: victim@example.net.

I invite you to submit your code to Code Review, where we can go over all aspects of your code, including potential security issues such as CRLF injection.

200_success
  • 2,144
  • 2
  • 15
  • 20