← Signals
- curl
- smtp
- crlf-injection
- exploitarium
news
curl SMTP EXPN Recipient CRLF Command Injection
CRLF in CURLOPT_MAIL_RCPT operand injects full MAIL/RCPT/DATA transaction after authenticated EXPN — stock curl completes injected message.
Summary
Stock curl serializes the SMTP custom-recipient operand without rejecting embedded CR/LF bytes, so a CURLOPT_MAIL_RCPT value passed to an EXPN request can inject a full MAIL FROM / RCPT TO / DATA transaction under the same authenticated session. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | Stock curl with SMTP support (lib/smtp.c custom recipient branch) |
| Primitive | Unvalidated smtp->rcpt->data written into %s %s%s SMTP line via Curl_pp_sendf |
| Impact | Authenticated SMTP session can send attacker-controlled messages to arbitrary recipients on the same server. |
Attack Chain
curl -K config (EXPN + mail-rcpt with CRLF) → AUTH PLAIN → EXPN Friends → injected MAIL/RCPT/DATA → marker body accepted
Mitigation
Reject CR and LF in custom SMTP recipient operands before protocol serialization; audit automation that passes untrusted strings into CURLOPT_MAIL_RCPT.