CAPEC-183 - IMAP/SMTP Command Injection

An attacker exploits weaknesses in input validation on IMAP/SMTP servers to execute commands on the server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

Severity

Likelihood

Confidentiality

Integrity

Availability

The target environment must consist of a web-mail server that the attacker can query and a back-end mail server. The back-end mail server need not be directly accessible to the attacker.

The web-mail server must fail to adequately sanitize fields received from users and passed on to the back-end mail server.

The back-end mail server must not be adequately secured against receiving malicious commands from the web-mail server.

No special resources are required for this attack. However, in most cases, the attacker will need to be a recognized user of the web-mail server.