Re: [exim] Exim (aoom) named in context of new TLS cross-pro…

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-users
Subject: Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack
> ... and here is the EXIM EXPLOIT :
> https://github.com/RUB-NDS/alpaca-code/blob/master/exploits/smtp/02-exim.md


That's interesting because I expected a
503 no greeting received yet
if a throw a "mail from:..." to Exim before EHLO/HELO. But in the case the
address given is invalid it is indeed
501 <script>alert(1);</script>: malformed address: alert(1);</script> may
not follow <script>
without prior greeting.

According to debug +all output there is no way to prevent that by ACL
because none is called in this case....
mail from: <script>alert(1);</script>
12:33:23 1608459 SMTP<< mail from: <script>alert(1);</script>
12:33:23 1608459 LOG: smtp_syntax_error MAIN
12:33:23 1608459 SMTP syntax error in "mail from:
<script>alert(1);</script>" H=... malformed address: alert(1);</script> may
not follow <script>
12:33:23 1608459 SMTP>> 501 <script>alert(1);</script>: malformed address:
alert(1);</script> may not follow <script>

Maybe it's best to not reflect anything already known to be "malformed" to
the client? Or add an syntax_error ACL? Or call the command ACL even if a
syntax error is detected?

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | https://www.blafasel.at/
Vienna University Computer Center | Austria