This SMTP Injection in G Suite Allows Google Email Domains to be Spoofed

SMTP Injection in G Suite

A lot can be said about Gmail relying on outdated and often unsecure protocols. For instance, we’ve already covered here on our blog how hackers were able to bypass Google’s 2FA security back in 2018. That’s just one example.

 One new example of this was discovered by Zohar Shachar in his blog post. Shachar is an ethical (whitehat) hacker and he discovered that it was possible to inject SMTP in a way that makes it possible for an attacker to spoof messages to look as if they came from Google’s own servers.

Before we get into what Shachar found out, a word or two about SMTP.

What is SMTP?

SMTP stands for Simple Mail Transfer Protocol and is a very, very old text-based protocol that serves as a communication protocol for email transmissions since 1982 when it was first defined. 

That’s right, we are still using something from almost 40 years ago to handle email transmissions!

SMTP has only three instructions and these are:

  1. Mail From: This is the email sender.
  2. RCPT TO: Who receives the email, or the recipient.
  3. DATA: These include email contents.

As you can see, there is no cc, bcc, subject and all those other good stuff that you’d expect in your Gmail.

Instead, these are added as extra headers in the DATA header content. According to the convention, each new header gets its separate line, with the header name and value separated by a colon (:).

For example:

SMTP FROM:

admin@google.com

SMTP TO:

User@gmail.com

DATA:

Bcc: hacker@gmail.com 

Your email is belong to us now.

The problem (well, one of many) is that SMTP does not authenticate the email sender. That means it’s impossible to trust the email origin.

This issue was somewhat remedied through other mechanisms outside SMTP, most notably DNS domain validation. In other words, if you can prove that you own a domain you can apply a DNS record in such a way that it will instruct SMTP servers to approve only your emails with that domain, while any other emails from that domain will go to the spam folder.

What is an SMTP Header Injection?

An SMTP header injection is when the user input is placed into the header of an email without proper sanitization. This allows the hacker to inject an additional header (or more) with arbitrary values.

This exploit allows the hacker to send email copies to third parties, execute phishing attacks, deliver a virus, or change and modify the email contents in some other way.

What Shachar Discovered?

Okay, let’s see what Shachar discovered.

According to Shachar, by login into the Admin Google page (at admin.google.com) and then go to:

Apps > G Suite > Settings for Gmail > Advanced Settings > Routing

You’ll find the “add a routing setting” for inbound and outbound traffic.

One setting allows you to “add custom headers”.

Going by the logic that the new custom header will then be included to the SMTP’s DATA content, Shachar figured that if he could add a new header this way, he could also manipulate the contents of the email.

By using the “prepend custom subject” option just below (remember, there’s no “subject” in SMTP), Shachar was able to launch a proxy and add newline chars (\r\n) to the “subject” setting.

He then sent a test email, which showed him that the newline chars were successfully rendered at the server-side, with the “subject” header divided into several lines.

What this means is that whatever came following the newline chars would be pushed to the following header, the email body.

Shachar didn’t stop there though.

He then again modified the “subject” setting to also incorporate a spoofed From header. This made Gmail show the email as it originated from admin@ google.com (which of course it didn’t).

Which looked like this:

And this allowed Shachar to spoof emails using a fake @google.com address.

Looking for a more secure email service? Try CTemplar Armored Email today for free.