Using Meta-characters in E-mail Headers to SecurityDatabase\Alert\Inject Malicious Payloads |
Attack Pattern ID: 41 (Detailed Attack Pattern Completeness: Complete) | Typical Severity: High | Status: Draft |
Summary
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs.
Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can containt scripts, enumerations, probes, and other attacks against the user's system.
Attack Execution Flow
Identify and characterize metacharacter processing vulnerabilities in email headers:
An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads.
env-Web2 Manually tampering email headers to inject malicious metacharacter-based payload content in them.
env-WebIndicators
ID type Indicator Description Environments 1 Positive The email client processes metacharacters in email headers.
env-Local2 Negative The email client does not process metacharacters in email headers.
env-Local3 Negative The email server will strip the headers that contain metacharacters
env-Web4 Inconclusive The email server lets the malicious metacharacters in the email headers.
env-WebOutcomes
ID type Outcome Description 1 Success The email client executes the malicious payload.2 Failure No malicious content is being delivered in the email by the server.Security Controls
ID type Security Control Description 1 Detective Monitor email headers for malicious content in metacharacters.
An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints.
Attack Step Techniques
ID Attack Step Technique Description Environments 1 Send emails with specifically-constructed, metacharater-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase.
env-LocalOutcomes
ID type Outcome Description 1 Success The payload executes on the target user's system.Security Controls
ID type Security Control Description 1 Preventative Filtering email headers for malicious content.
This attack targets most widely deployed feature rich email applications, including web based email programs.
Description
To:<someone@example.com>
From:<badguy@example.com>
Header<SCRIPT>payme</SCRIPT>def: whatever
Description
Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic.
Meta-characters like \w \s \d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process.
Design: Perform validation on email header data
Implementation: Implement email filtering solutions on mail server or on MTA, relay server.
Implementation: Mail servers that perform strict validation may catch these attacks, because metacharacters are not allowed in many header variables such as dns names
Enables attacker to execute server side code with any commands that the program owner has privileges to.
Nature | Type | ID | Name | Description | View(s) this relationship pertains to |
---|---|---|---|---|---|
ChildOf | Attack Pattern | 134 | Email Injection | Mechanism of Attack (primary)1000 | |
ChildOf | Attack Pattern | 242 | Script Injection | Mechanism of Attack (primary)1000 |
Submissions | ||||
---|---|---|---|---|
Submitter | Organization | Date | ||
G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-01-01 |
Modifications | |||||
---|---|---|---|---|---|
Modifier | Organization | Date | Comments | ||
Gunnar Peterson | Cigital, Inc | 2007-02-28 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | ||
Sean Barnum | Cigital, Inc | 2007-03-09 | Review and revise | ||
Richard Struse | VOXEM, Inc | 2007-03-26 | Review and feedback leading to changes in Name, Description and Examples | ||
Sean Barnum | Cigital, Inc | 2007-04-13 | Modified pattern content according to review and feedback | ||
Romain Gaucher | Cigital, Inc | 2009-02-10 | Created draft content for detailed description | ||
Sean Barnum | Cigital Federal, Inc | 2009-04-13 | Reviewed and revised content for detailed description |