https://bugs.exim.org/show_bug.cgi?id=3036
Bug ID: 3036
Summary: Signature verifies correcly for message with modified
body
Product: Exim
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: DKIM
Assignee: tom@duncanthrax.net
Reporter: max@internet.ru
CC: exim-dev@lists.exim.org
Created attachment 1447
--> https://bugs.exim.org/attachment.cgi?id=1447&action=edit
Wire format capture and EMLs
Given a DKIM-signed message, one can append a line "\r+space+data+\n" at the
end of headers. That line will count towards headers when verifying the
signature. However, the data portion will be pushed down to body and saved into
-D file, and displayed as part of body. This was used against us as part of
DKIM replay attack.
See attachment for sample original and modified messages, and wire format dump
from wireshark. To reproduce on a clean exim installation, add +dkim_verbose to
log_selector, remove localhost from relay_from_hosts, and use swaks -d and -s
options to send the modified eml. Then the DKIM line will contain "verification
succeeded", which is not expected.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Bug ID: 3036
Summary: Signature verifies correcly for message with modified
body
Product: Exim
Version: N/A
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: DKIM
Assignee: tom@duncanthrax.net
Reporter: max@internet.ru
CC: exim-dev@lists.exim.org
Created attachment 1447
--> https://bugs.exim.org/attachment.cgi?id=1447&action=edit
Wire format capture and EMLs
Given a DKIM-signed message, one can append a line "\r+space+data+\n" at the
end of headers. That line will count towards headers when verifying the
signature. However, the data portion will be pushed down to body and saved into
-D file, and displayed as part of body. This was used against us as part of
DKIM replay attack.
See attachment for sample original and modified messages, and wire format dump
from wireshark. To reproduce on a clean exim installation, add +dkim_verbose to
log_selector, remove localhost from relay_from_hosts, and use swaks -d and -s
options to send the modified eml. Then the DKIM line will contain "verification
succeeded", which is not expected.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/