CAPEC Details
Name IMAP/SMTP Command Injection
Likelyhood of attack Typical severity
High Medium
Summary An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
Prerequisites The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker. The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server. The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.
Solutions
Related Weaknesses
CWE ID Description
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Related CAPECS
CAPEC ID Description
CAPEC-248 An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.