Opened 4 years ago

Last modified 10 months ago

#12089 reopened defect

BridgedDB can be forced to email arbitrary email addresses

Reported by: isis Owned by: isis
Priority: High Milestone:
Component: Obfuscation/BridgeDB Version:
Severity: Normal Keywords: bridgedb-email, security, isis2015Q1Q2, isisExB, isisExC
Cc: isis, sysrqb Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

See #12086.

From this commit message for this unittest:

BridgeDB will accept an email from an arbitrary gmail/yahoo email address at the SMTP layer, and then send the reply to a *different* arbitrary gmail/yahoo email address taken from the contents of the email headers.

As you can see in the example...


(in the ticket description of #12086)

the SMTP command

MAIL FROM: isisgrimalkin@gmail.com

combined with a 'From: isislovecruft@gmail.com' in the email headers within the SMTP DATA segment caused the reply to be sent the reply to the later, when it came from the former.


While this was done quick-and-dirty with netcat, it's probably possible to configure msmtp to send a the same SMTP commands/info with embedded email headers still specifying an arbitrary email address, such that Gmail/Yahoo would produce a valid DKIM signature for it and pass it along to BridgeDB. (And thus the issue isn't merely that DKIM verification appears to be broken, but the issue is that we're not checking that source of an incoming email matches the destination of the response.)

In addition, the person reading such a unsolicited response from BridgeDB also has no way to know who originally emailed BridgeDB to cause this email to end up in her inbox in the first place.

I'm not exactly certain if this is a bug or a feature. While it could be used for sending some junk to an arbitrary gmail/yahoo address, it could also be used as a sort of

"Dear BridgeDB, can I have some bridges? Asking for a friend."

mechanism.


I'm guessing that we're likely to see more use of it for the former, more malicious activity than the latter benevolent one, and so we should probably consider this a pretty serious bug.



Side note:

All the bugs found with that unittest were present in older versions of BridgeDB, and possibly have always been present, and they don't appear to be resultant from my recent rewrite of the email servers (as sysrqb noted, my rewrite retained portions of the old codebase). I just wanted to point that out so that I'm not blamed for introducing them. Unfortunately, I didn't catch this while staring at the code for several hours. (But hiphiphooray for unittests! :D )


Child Tickets

Attachments (1)

0001-Tests-12089.patch (6.6 KB) - added by trygve 4 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Changed 4 years ago by isis

Resolution: fixed
Status: newclosed

This is fixed in my fix/12086-rcptto-other-domain branch, which is based on more unittests and bugfixes in my fix/9874-automate-email-tests branch.

comment:2 Changed 4 years ago by isis

Resolution: fixed
Status: closedreopened

Some of the fix for #12089 was disabled by #12627:

commit 422410756a7752d6af5b881776fb107fd5e6335e (tpo-isis/fix/12627-hotfixes, isislovecruft/fix/12627-hotfixes, greyarea/fix/12627-hotfixes, fix/12627-hotfixes)
Author:     Matthew Finkel <sysrqb@torproject.org>
AuthorDate: Sat Jul 19 03:33:56 2014 +0000
Commit:     Isis Lovecruft <isis@torproject.org>
CommitDate: Tue Jul 22 22:26:42 2014 +0000

    Revert check for SMTP/email header canonical hostname equivalence.
    
    Signed-off-by: Isis Lovecruft <isis@torproject.org>
    
    For now, we need to revert this check to get the email distributor to
    function. We should look into this issue in order to get BridgeDB in a
    state where instances of it are runnable by other organisations to hand
    out their own bridges. [OTHER_ORG]
    
    Fixing this is essential for #12089.

diff --git a/lib/bridgedb/email/autoresponder.py b/lib/bridgedb/email/autoresponder.py
index 7e5f900..3674702 100644
--- a/lib/bridgedb/email/autoresponder.py
+++ b/lib/bridgedb/email/autoresponder.py
@@ -631,12 +631,12 @@ class SMTPAutoresponder(smtp.SMTPClient):
 
         # The canonical domains from the SMTP ``MAIL FROM:`` and the email
         # ``From:`` header should match:
-        if self.incoming.canonicalFromSMTP != self.incoming.canonicalFromEmail:
-            logging.error("SMTP/Email canonical domain mismatch!")
-            logging.debug("Canonical domain mismatch: %s != %s"
-                          % (self.incoming.canonicalFromSMTP,
-                             self.incoming.canonicalFromEmail))
-            return False
+        #if self.incoming.canonicalFromSMTP != self.incoming.canonicalFromEmail:
+        #    logging.error("SMTP/Email canonical domain mismatch!")
+        #    logging.debug("Canonical domain mismatch: %s != %s"
+        #                  % (self.incoming.canonicalFromSMTP,
+        #                     self.incoming.canonicalFromEmail))
+        #    return False
 
         self.incoming.domainRules = self.incoming.context.domainRules.get(
             self.incoming.canonicalFromEmail, list())

Changed 4 years ago by trygve

Attachment: 0001-Tests-12089.patch added

comment:3 Changed 4 years ago by trygve

Added patch to test_smtp.py to reproduce the issue described in this ticket. The test sends an email to bridgedb in which the 'MAIL FROM' address in the SMTP header differs from the 'From' address in the email.

Note: The test assumes that bridgedb should detect this situation and not generate a response. At the time of writing, this test fails because a response is generated.

Note: At the time of writing, test_smtp.has not yet been merged into the bridgedb master branch (currently in isis' repo)

comment:4 Changed 4 years ago by isis

Keywords: isis2015Q1Q2 isisExB isisExC added

comment:5 Changed 3 years ago by isis

Priority: criticalmajor

comment:6 Changed 10 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.