Exploiting Email Address Parsing With AWS SES LINK
CLICK HERE ->->->-> https://blltly.com/2tpV5f
In this post I'm going to cover a technique I discovered recently to bypass user account email validation/verification in a web app I was testing. This app used AWS SES to send verification emails, and the domain of a user's verified email address was used to make some access control decisions in the app logic.
In an app such as this one where a certain email domain can grant certain privileges for a signed up user, a good target for pen testing is whether you can trick the app into treating your address as belonging to one domain, but the verification email goes to another. The impact of finding a bug like that would vary on what sort of importance the app places in the email address (or its domain) after validating it - in this app's case, the domain of the user signing up determined what level of access they had once verified and authenticated so, basically, we're talking access control bypass and privilege escalation.
When instructed to send an email to this address, SES will send the message to [email protected] however, in this particular instance, the app was treating this signup attempt as belonging to the domain ddd.com. The concept of this vulnerability is somewhat similar to HTTP request smuggling, in that the "frontend" (the web app) is parsing a value (the email address) different to the "backend" (AWS SES), causing a desynchronisation between the two and their intepretation of the value.
This is a failure in the app's logic primarily, as the app was not applying enough validation to the address a user supplied, but it's also interesting that SES parses this address at all - from what I can determine, RFC 5322 is fairly strict in that the name-addr spec of [display-name] angle-addr is only in that order, and not angle-addr [display-name]. However, the RFC also states that some legacy systems will use angle-addr with the display-name following inside a comment (i.e. between parentheses), which this payload isn't exactly, but it is somewhat close. The RFC also states the use of name-addr as opposed to this legacy format as a SHOULD and not a MUST. Either way, when you combine the app's faulty logic in determining the domain of the user being verified, and the somewhat relaxed address parsing by SES, you end up with a vulnerability that allows a user to signup as a member of an arbitrary domain.
A quick way to confirm that SES will handle this format is the following command using the AWS CLI - you'll need valid AWS creds configured in your environment, a valid from address allowed by the creds, and of course an email to target with the message, which may need to be verified if your AWS account is in sandbox mode:
The situation with the vulnerable app I encountered is very similar to the writeup by "Elliot Alderson" which resulted in a vulnerability being found in the Python email address parsing function parseaddr (CVE-2019-16056). Interestingly, for both pre and post CVE-2019-16056 versions of Python, parseaddr identifies [email protected] as the address in the above payload, which is consistent with SES and would avoid the disconnect between app and email server, so it seems a valid mitigation for any app (like the one I bypassed with the above payload) that uses SES would be to use a function like parseaddr which also extracts [email protected] from the payload. Like SES though, whether or not parseaddr should extract [email protected] from the payload as the email address rather than hit an error condition is another question.
What about other languages and packages that may be used to parse an address Here I have some tests I've run against various languages and their popular functions and libraries for parsing email addresses:
The "Vulnerable" column is asking whether the output of the command could be vulnerable to allowing the payload to be parsed differently in the app code compared to where AWS SES will send the email or, in other words, was the execution successful/error free and does the outpu