An SMTP Command Injection (CRLF Injection) vulnerability in Netty's SMTP codec allows a remote attacker who can control SMTP command parameters (e.g., an email recipient) to forge arbitrary emails from the trusted server. This bypasses standard email authentication and can be used to impersonate executives and forge high-stakes corporate communications.
The root cause is the lack of input validation for Carriage Return (\r) and Line Feed (\n) characters in user-supplied parameters.
The vulnerable code is in io.netty.handler.codec.smtp.DefaultSmtpRequest, where parameters are directly concatenated into the SMTP command string. For example, when SmtpRequests.rcpt(recipient) is called, a malicious recipient string containing CRLF sequences can inject a new, separate SMTP command.
Because the injected commands are sent from the server's trusted IP, any resulting emails will likely pass SPF and DKIM checks, making them appear legitimate to the victim's email client.
A minimal PoC involves passing a crafted string containing CRLF sequences to any SmtpRequest that accepts user-controlled parameters.
1. Malicious Payload
The core of the exploit is the payload, where new SMTP commands are injected into a parameter.
// The legitimate recipient is followed by an injected email sequence
String injected_recipient = "legit-recipient@example.com\r\n" +
"MAIL FROM:<ceo@trusted-domain.com>\r\n" +
"RCPT TO:<victim@anywhere.com>\r\n" +
"DATA\r\n" +
"From: ceo@trusted-domain.com\r\n" +
"To: victim@anywhere.com\r\n" +
"Subject: Urgent: Phishing Email\r\n" +
"\r\n" +
"This is a forged email that will pass authentication checks.\r\n" +
".\r\n" +
"QUIT\r\n";
**2. Triggering...
4.1.128.Final4.2.7.FinalExploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:HVA:NSubsequent System
SC:NSI:NSA:N7.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P