Keycloak, SMTP Injection, CVE-2020-10742 (Medium)

Listen to this Post

The CVE-2020-10742 vulnerability is an SMTP injection flaw within Keycloak’s user registration email verification feature. It stems from improper neutralization of CRLF (Carriage Return Line Feed) sequences in user-supplied input. An attacker can register with an email address that contains crafted SMTP commands following a CRLF sequence (e.g., [email protected]%0d%0aDATA:%20injected). When Keycloak’s backend sends the verification email, the SMTP server interprets these injected CRLF sequences as a command terminator, allowing the attacker to inject arbitrary SMTP commands. This can prematurely terminate the intended email data and append a new, short, malicious email message. The attack is constrained by a 64-character limit on the local part of the email address, restricting the payload size and limiting the content of the injected message.
Platform: Keycloak
Version: < 11.0.2
Vulnerability: SMTP Injection
Severity: Medium

date: 2020-05-19

Prediction: 2020-06-30

What Undercode Say:

`curl -X POST -d “firstName=John&lastName=Doe&email=attacker%40example.com%0d%0aDATA:%20injected&password=password” http://keycloak-host:8080/auth/realms/master/registration`

`nc -nv mailserver 25</h2>
<h2 style="color: blue;">
EHLO keycloak-server</h2>
<h2 style="color: blue;">
MAIL FROM: <keycloak@domain></h2>
<h2 style="color: blue;">
RCPT TO: attacker@example.com</h2>
<h2 style="color: blue;">
DATA</h2>
<h2 style="color: blue;">
Subject: Verify Email</h2>
<h2 style="color: blue;">
(injected SMTP commands executed here)`

How Exploit:

Craft malicious email address with CRLF and SMTP commands during user registration to inject and send a short, unauthorized email message from the server.

Protection from this CVE:

Apply input sanitization to neutralize CRLF sequences in email addresses during user registration and before processing by the SMTP client. Upgrade to Keycloak version 11.0.2 or later.

Impact:

Unauthorized sending of short emails from the server, potential for phishing precursors or spam, but limited in scope by a 64-character payload constraint.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top