[exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smu…

Top Page
Delete this message
Reply to this message
Author: Exim Bugzilla
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack, [exim-dev] [Bug 3063] Partially vulnerable to "SMTP Smuggling" if pipelining is enabled and chunking is disabled/unused, [exim-dev] [Bug 3063] "SMTP Smuggling" attack
Subject: [exim-dev] [Bug 3063] New: Partially vulnerable to "SMTP Smuggling" if pipelining is enabled
https://bugs.exim.org/show_bug.cgi?id=3063

            Bug ID: 3063
           Summary: Partially vulnerable to "SMTP Smuggling" if pipelining
                    is enabled
           Product: Exim
           Version: 4.93
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: Mail Receipt
          Assignee: unallocated@???
          Reporter: bugzilla.exim.simon@???
                CC: exim-dev@???


Exim is partially vulnerable to
https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Exim incorrectly allows <LF>.<LF> to end a message:
"However, for the case when a dot on a line by itself terminates a message, the
only recognized terminating sequences before and after the dot are LF and CRLF"

https://www.rfc-editor.org/rfc/rfc5321:
"In particular, the sequence <LF>.<LF> (bare line feeds, without carriage
returns) MUST NOT be treated as equivalent to <CRLF>.<CRLF> as the end of mail
data indication."

With pipelining disabled, Exim is accepting one command after the end of a
message. (I don't think it should do this.)

With pipelining enabled, Exim will accept commands up to DATA but no further.
It's not possible to send a message like this but a precisely arranged set of
packets and network congestion at exactly the right time would make it
possible.

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/