[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12086 [BridgeDB]: BridgeDB accepts incoming emails sent to 'givemebridges@xxxxxxxxxx'
#12086: BridgeDB accepts incoming emails sent to 'givemebridges@xxxxxxxxxx'
--------------------------+--------------------------------------
Reporter: isis | Owner: isis
Type: defect | Status: new
Priority: major | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgedb-email, security
Actual Points: | Parent ID:
Points: |
--------------------------+--------------------------------------
Description changed by isis:
Old description:
> From
> [https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
> this commit message] for
> [https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
> this unittest which reproduces the issue] and which is [https://travis-
> ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with
> this error]:
>
> > BridgeDB's current code will accept an incoming email with a `To:
> givemebridges@xxxxxxxxxx` header. However, BridgeDB's reply will still
> contain: `From: bridges@xxxxxxxxxxxxxx`.
> >
> > Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT
> TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue.
> Though, if the outside SMTP layer is sent to
> `'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo
> address), these messages still end up in BridgeDB's mail queue.
> >
> > The following netcat session demonstrates that this is possible:
> >
> > {{{
> > â!isisâwintermute:(master *$=)~ â torsocks nc bridges.torproject.org
> 25
> > 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU)
> > HELO ponticum.torproject.org
> > 250 ponticum.torproject.org
> > MAIL FROM: isisgrimalkin@xxxxxxxxx
> > 250 2.1.0 Ok
> > RCPT TO: bridges@xxxxxxxxxxxxxxxxxxxxxx
> > 250 2.1.5 Ok
> > DATA
> > 354 End data with <CR><LF>.<CR><LF>
> > From: isislovecruft@xxxxxxxxx
> > To: givemebridgesrightnow@xxxxxxxxxx
> > Subject: mwhahaha
> >
> > get transport obfs3
> > .
> > 250 2.0.0 Ok: queued as F03972834F
> > QUIT
> > 221 2.0.0 Bye
> > }}}
> >
> > This request resulted in the following...
>
> Although these logs ''were'' taken from the currently live server, they
> are "sanitised".Â
>
> Â Where "sanitised" means "all bridge info, including IP addresses and
> hashes, are faked" and "all email addresses are mine".
>
> > ...debug logs:
> >
> > {{{
> > 15:30:31 DEBUG L690:server.validateFrom() ORIGIN:
> "'<bridgedb@ponticum>'"
> > 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain:
> 'ponticum'
> > 15:30:31 DEBUG L495:server.lineReceived() > Received: from
> ponticum (ponticum [127.0.0.1]) for <bridges@bridgedb>; Wed, 21 May 2014
> 15:30:31 +0000
> > 15:30:31 DEBUG L495:server.lineReceived() > From
> isisgrimalkin@xxxxxxxxx Wed May 21 15:30:31 2014
> > 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To:
> bridges@xxxxxxxxxxxxxxxxxxxxxx
> > 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To:
> bridgedb@xxxxxxxxxxxxxxxxxxxxxxx
> > 15:30:31 DEBUG L495:server.lineReceived() > Received: from
> ponticum.torproject.org (kpebetka.net [95.79.25.182])
> > 15:30:31 DEBUG L495:server.lineReceived() > by
> ponticum.torproject.org (Postfix) with SMTP id F03972834F
> > 15:30:31 DEBUG L495:server.lineReceived() > for
> <bridges@xxxxxxxxxxxxxxxxxxxxxx>; Wed, 21 May 2014 15:29:18 +0000 (UTC)
> > 15:30:31 DEBUG L495:server.lineReceived() > From:
> isislovecruft@xxxxxxxxx
> > 15:30:31 DEBUG L495:server.lineReceived() > To:
> givemebridgesrightnow@xxxxxxxxxx
> > 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha
> > 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM-
> Authentication-Results: dunno
> > 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May
> 2014 15:30:31 -0000
> > 15:30:31 DEBUG L495:server.lineReceived() > Message-Id:
> <1400686231.135135.6548@ponticum>
> > 15:30:31 DEBUG L495:server.lineReceived() >
> > 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3
> > 15:30:31 DEBUG L495:server.lineReceived() >
> > 15:30:31 INFO L611:server.reply() Got an email; deciding
> whether to reply.
> > 15:30:31 INFO L646:server.reply() Client requested email
> translation: en
> > 15:30:31 DEBUG L70:request.determineBridg() Email request was
> valid.
> > 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport'
> line: 'get transport obfs3'
> > 15:30:31 INFO L169:request.withPluggableT() Email requested
> transport type: 'obfs3'
> > 15:30:31 DEBUG L81:request.determineBridg() Generating hashring
> filters for request.
> > 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return
> for 3 bridges for isislovecruft@xxxxxxxxxxxx
> > 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit
> frozenset([<function filterBridgesByTransport(obfs3,<class
> 'ipaddr.IPv4Address'>)>])
> > 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges
> from ring of len: 492
> > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
> 'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position
> 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
> 'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position
> 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> > 15:30:31 DEBUG L183:server.generateRespons() Email contents:
> > From: bridges@xxxxxxxxxxxxxx
> > To: isislovecruft@xxxxxxxxx
> > Message-ID:
> <20140521153031.21456.73227139.10726@xxxxxxxxxxxxxxxxxxxxxxx>
> > In-Reply-To: <1400686231.135135.6548@ponticum>
> > Content-Type: text/plain; charset="utf-8"
> > Date: Wed, 21 May 2014 15:30:31 +0000
> > Subject: Re: mwhahaha
> >
> >
> > Hey, isislovecruft!
> >
> > [This is an automated message; please do not reply.]
> >
> > Here are your bridges:
> >
> > obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41
> > obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4
> > obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2
> >
> >
> > To enter bridges into Tor Browser, follow the instructions on the Tor
> > Browser download page [0] to start Tor Browser.
> >
> > When the 'Tor Network Settings' dialogue pops up, click 'Configure' and
> follow
> > the wizard until it asks:
> >
> > > Does your Internet Service Provider (ISP) block or otherwise censor
> connections
> > > to the Tor network?
> >
> > Select 'Yes' and then click 'Next'. To configure your new bridges, copy
> and
> > paste the bridge lines into the text input box. Finally, click
> 'Connect', and
> > you should be good to go! If you experience trouble, try clicking the
> 'Help'
> > button in the 'Tor Network Settings' wizard for further assistance.
> >
> > [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads-
> beta
> >
> >
> >
> > COMMANDs: (combine COMMANDs to specify multiple options simultaneously)
> > get bridges Request vanilla bridges.
> > get transport [TYPE] Request a Pluggable Transport by TYPE.
> > get help Displays this message.
> > get key Get a copy of BridgeDB's public GnuPG key.
> > get ipv6 Request IPv6 bridges.
> >
> > Currently supported transport TYPEs:
> > obfs2
> > obfs3
> > scramblesuit
> >
> >
> > --
> > <3 BridgeDB
> >
> > ----------------------------------------------------------------------
> > Public Keys: https://bridges.torproject.org/keys
> > This email was generated with rainbows, unicorns, and sparkles
> > for isislovecruft@xxxxxxxxx on Wednesday, 21 May, 2014 at 15:30:31.
> >
> >
> > 15:30:31 INFO L655:server.reply() Sending reply to
> isislovecruft@xxxxxxxxx
> > }}}
> >
>
> The other two bugs detailed in the above commit message are tickets
> #12089 and #XXX respectively.
New description:
From
[https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
this commit message] for
[https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
this unittest which reproduces the issue] and which is [https://travis-
ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with
this error]:
> BridgeDB's current code will accept an incoming email with a `To:
givemebridges@xxxxxxxxxx` header. However, BridgeDB's reply will still
contain: `From: bridges@xxxxxxxxxxxxxx`.
>
> Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT
TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue.
Though, if the outside SMTP layer is sent to
`'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo
address), these messages still end up in BridgeDB's mail queue.
>
> The following netcat session demonstrates that this is possible:
>
> {{{
> â!isisâwintermute:(master *$=)~ â torsocks nc bridges.torproject.org
25
> 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU)
> HELO ponticum.torproject.org
> 250 ponticum.torproject.org
> MAIL FROM: isisgrimalkin@xxxxxxxxx
> 250 2.1.0 Ok
> RCPT TO: bridges@xxxxxxxxxxxxxxxxxxxxxx
> 250 2.1.5 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> From: isislovecruft@xxxxxxxxx
> To: givemebridgesrightnow@xxxxxxxxxx
> Subject: mwhahaha
>
> get transport obfs3
> .
> 250 2.0.0 Ok: queued as F03972834F
> QUIT
> 221 2.0.0 Bye
> }}}
>
> This request resulted in the following...
Although these logs ''were'' taken from the currently live server, they
are "sanitised".Â
 Where "sanitised" means "all bridge info, including IP addresses and
hashes, are faked" and "all email addresses are mine".
> ...debug logs:
>
> {{{
> 15:30:31 DEBUG L690:server.validateFrom() ORIGIN:
"'<bridgedb@ponticum>'"
> 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain:
'ponticum'
> 15:30:31 DEBUG L495:server.lineReceived() > Received: from
ponticum (ponticum [127.0.0.1]) for <bridges@bridgedb>; Wed, 21 May 2014
15:30:31 +0000
> 15:30:31 DEBUG L495:server.lineReceived() > From
isisgrimalkin@xxxxxxxxx Wed May 21 15:30:31 2014
> 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To:
bridges@xxxxxxxxxxxxxxxxxxxxxx
> 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To:
bridgedb@xxxxxxxxxxxxxxxxxxxxxxx
> 15:30:31 DEBUG L495:server.lineReceived() > Received: from
ponticum.torproject.org (kpebetka.net [95.79.25.182])
> 15:30:31 DEBUG L495:server.lineReceived() > by
ponticum.torproject.org (Postfix) with SMTP id F03972834F
> 15:30:31 DEBUG L495:server.lineReceived() > for
<bridges@xxxxxxxxxxxxxxxxxxxxxx>; Wed, 21 May 2014 15:29:18 +0000 (UTC)
> 15:30:31 DEBUG L495:server.lineReceived() > From:
isislovecruft@xxxxxxxxx
> 15:30:31 DEBUG L495:server.lineReceived() > To:
givemebridgesrightnow@xxxxxxxxxx
> 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha
> 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM-Authentication-
Results: dunno
> 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May 2014
15:30:31 -0000
> 15:30:31 DEBUG L495:server.lineReceived() > Message-Id:
<1400686231.135135.6548@ponticum>
> 15:30:31 DEBUG L495:server.lineReceived() >
> 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3
> 15:30:31 DEBUG L495:server.lineReceived() >
> 15:30:31 INFO L611:server.reply() Got an email; deciding
whether to reply.
> 15:30:31 INFO L646:server.reply() Client requested email
translation: en
> 15:30:31 DEBUG L70:request.determineBridg() Email request was valid.
> 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport'
line: 'get transport obfs3'
> 15:30:31 INFO L169:request.withPluggableT() Email requested
transport type: 'obfs3'
> 15:30:31 DEBUG L81:request.determineBridg() Generating hashring
filters for request.
> 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return for
3 bridges for isislovecruft@xxxxxxxxxxxx
> 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit
frozenset([<function filterBridgesByTransport(obfs3,<class
'ipaddr.IPv4Address'>)>])
> 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges from
ring of len: 492
> 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position
'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position
'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> 15:30:31 DEBUG L183:server.generateRespons() Email contents:
> From: bridges@xxxxxxxxxxxxxx
> To: isislovecruft@xxxxxxxxx
> Message-ID:
<20140521153031.21456.73227139.10726@xxxxxxxxxxxxxxxxxxxxxxx>
> In-Reply-To: <1400686231.135135.6548@ponticum>
> Content-Type: text/plain; charset="utf-8"
> Date: Wed, 21 May 2014 15:30:31 +0000
> Subject: Re: mwhahaha
>
>
> Hey, isislovecruft!
>
> [This is an automated message; please do not reply.]
>
> Here are your bridges:
>
> obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41
> obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4
> obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2
>
>
> To enter bridges into Tor Browser, follow the instructions on the Tor
> Browser download page [0] to start Tor Browser.
>
> When the 'Tor Network Settings' dialogue pops up, click 'Configure' and
follow
> the wizard until it asks:
>
> > Does your Internet Service Provider (ISP) block or otherwise censor
connections
> > to the Tor network?
>
> Select 'Yes' and then click 'Next'. To configure your new bridges, copy
and
> paste the bridge lines into the text input box. Finally, click
'Connect', and
> you should be good to go! If you experience trouble, try clicking the
'Help'
> button in the 'Tor Network Settings' wizard for further assistance.
>
> [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads-
beta
>
>
>
> COMMANDs: (combine COMMANDs to specify multiple options simultaneously)
> get bridges Request vanilla bridges.
> get transport [TYPE] Request a Pluggable Transport by TYPE.
> get help Displays this message.
> get key Get a copy of BridgeDB's public GnuPG key.
> get ipv6 Request IPv6 bridges.
>
> Currently supported transport TYPEs:
> obfs2
> obfs3
> scramblesuit
>
>
> --
> <3 BridgeDB
>
> ----------------------------------------------------------------------
> Public Keys: https://bridges.torproject.org/keys
> This email was generated with rainbows, unicorns, and sparkles
> for isislovecruft@xxxxxxxxx on Wednesday, 21 May, 2014 at 15:30:31.
>
>
> 15:30:31 INFO L655:server.reply() Sending reply to
isislovecruft@xxxxxxxxx
> }}}
>
The other two bugs detailed in the above commit message are tickets #12089
and #12091 respectively.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12086#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs