[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #12089 [BridgeDB]: BridgedDB can be forced to email arbitrary email addresses
#12089: BridgedDB can be forced to email arbitrary email addresses
--------------------------------------+----------------------
Reporter: isis | Owner: isis
Type: defect | Status: new
Priority: critical | Milestone:
Component: BridgeDB | Version:
Keywords: bridgedb-email, security | Actual Points:
Parent ID: | Points:
--------------------------------------+----------------------
See #12086.
From
[https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
this commit message] for
[https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
this unittest]:
> BridgeDB will accept an email from an arbitrary gmail/yahoo email
address at the SMTP layer, and then send the reply to a *different*
arbitrary gmail/yahoo email address taken from the contents of the email
headers.
>
> As you can see in the example...
(in the ticket description of #12086)
> the SMTP command
>
> {{{
> MAIL FROM: isisgrimalkin@xxxxxxxxx
> }}}
>
> combined with a `'From: isislovecruft@xxxxxxxxx'` in the email headers
within the SMTP `DATA` segment caused the reply to be sent the reply to
the later, when it came from the former.
While this was done quick-and-dirty with netcat, it's probably possible to
configure msmtp to send a the same SMTP commands/info with embedded email
headers still specifying an arbitrary email address, such that Gmail/Yahoo
would produce a valid DKIM signature for it and pass it along to BridgeDB.
(And thus the issue isn't merely that DKIM verification appears to be
broken, but the issue is that we're not checking that source of an
incoming email matches the destination of the response.)
> In addition, the person reading such a unsolicited response from
BridgeDB also has no way to know who originally emailed BridgeDB to cause
this email to end up in her inbox in the first place.
>
> I'm not exactly certain if this is a bug or a feature. While it could be
used for sending some junk to an arbitrary gmail/yahoo address, it could
also be used as a sort of
>
> "Dear BridgeDB, can I have some bridges? Asking for a friend."
>
> mechanism.
I'm guessing that we're likely to see more use of it for the former, more
malicious activity than the latter benevolent one, and so we should
probably consider this a pretty serious bug.
-----------------------------------------------------------------------------
Side note:
All the bugs found with that unittest were present in older versions of
BridgeDB, and possibly have always been present, and they don't appear to
be resultant from my recent rewrite of the email servers
([https://trac.torproject.org/projects/tor/ticket/5463#comment:21 as
sysrqb noted], my rewrite retained portions of the old codebase). I just
wanted to point that out so that I'm not blamed for introducing them.
Unfortunately, I didn't catch this while staring at the code for several
hours. (But hiphiphooray for unittests! :D )
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12089>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs