From: Jeremy Harris Date: Mon, 25 Dec 2023 16:50:23 +0000 (+0000) Subject: Testsuite: testcase for "smtp smuggling". Bug 3063 X-Git-Tag: exim-4.98-RC0~100 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/f78e417c3c2e7348ce58bb03efc7343bb6d32383 Testsuite: testcase for "smtp smuggling". Bug 3063 Also remove the unneeded sync point added in cf1376206284 --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 56b0aca9b..a7b8b68c7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -58,10 +58,7 @@ JH/11 Bug 3046: Fix queue-runs. Previously, the arrivel of a notification or the latter being missed, and no further queue scheduled runs being initiated. This ouwld be more likely on high-load systems. -JH/12 Enforce a data synch check before emitting the 354 "go ahead". Previously - this was only done if a pre-data ACL was configured. - -JH/13 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in +JH/12 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in LF-only mode (as detected from the first header line). Previously we did accept that in (normal) CRLF mode; this has been raised as a possible attack scenario (under the name "smtp smuggling"). diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index aeaffeb37..541288301 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -5113,10 +5113,7 @@ while (done <= 0) dummy call to get the DATA command sent. */ if (!acl_smtp_predata && cutthrough.cctx.sock < 0) - { - if (!check_sync()) goto SYNC_FAILURE; rc = OK; - } else { uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept"; diff --git a/test/log/0900 b/test/log/0900 index 00d13e443..a7852da37 100644 --- a/test/log/0900 +++ b/test/log/0900 @@ -16,3 +16,4 @@ 2017-07-30 18:51:05.712 10HmbG-000000005vi-0000 <= some6ne@some.domain H=(tester) [127.0.0.1] Ci=p1243 P=esmtp K S=sss for CALLER@test.ex 2017-07-30 18:51:05.712 rejected from H=(tester) [127.0.0.1]: Non-CRLF-terminated header, under CHUNKING: message abandoned 2017-07-30 18:51:05.712 10HmbH-000000005vi-0000 <= someone@some.domain H=(tester) [127.0.0.1] Ci=p1244 P=esmtp K S=sss for CALLER@test.ex +2017-07-30 18:51:05.712 10HmbI-000000005vi-0000 <= legit@some.domain H=(smuggler) [127.0.0.1] Ci=p1245 P=esmtp S=sss for CALLER@test.ex diff --git a/test/scripts/0000-Basic/0900 b/test/scripts/0000-Basic/0900 index 4edc82952..9e293c6aa 100644 --- a/test/scripts/0000-Basic/0900 +++ b/test/scripts/0000-Basic/0900 @@ -373,6 +373,39 @@ quit ??? 221 **** # +# Test for smtp-smuggling. Accepting only one message is good; two is bad. +client 127.0.0.1 PORT_D +??? 220 +ehlo smuggler +??? 250- +??? 250-SIZE +??? 250-8BITMIME +??? 250-PIPELINING +??? 250-CHUNKING +??? 250 HELP +MAIL FROM: +??? 250 +RCPT TO: +??? 250 +DATA +??? 354 +Subject: test of smuggled smtp + +This is body for initial message +The next line is a bogus end-of-data attempt, followed by a try at a smuggled message: +>>> .\n +mail from: +rcpt to: +bdat 86 last +Subject: send me all your money! + +All your bases are belong to us. Send Bitcoins. +QUIT +. +??? 250 +QUIT +??? 221 +**** # killdaemon no_msglog_check diff --git a/test/stdout/0900 b/test/stdout/0900 index 9fe0eb7de..a5b8d91f8 100644 --- a/test/stdout/0900 +++ b/test/stdout/0900 @@ -528,3 +528,47 @@ Connecting to 127.0.0.1 port 1225 ... connected ??? 221 <<< 221 testhost.test.ex closing connection End of script +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 testhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> ehlo smuggler +??? 250- +<<< 250-testhost.test.ex Hello smuggler [127.0.0.1] +??? 250-SIZE +<<< 250-SIZE 52428800 +??? 250-8BITMIME +<<< 250-8BITMIME +??? 250-PIPELINING +<<< 250-PIPELINING +??? 250-CHUNKING +<<< 250-CHUNKING +??? 250 HELP +<<< 250 HELP +>>> MAIL FROM: +??? 250 +<<< 250 OK +>>> RCPT TO: +??? 250 +<<< 250 Accepted +>>> DATA +??? 354 +<<< 354 Enter message, ending with "." on a line by itself +>>> Subject: test of smuggled smtp +>>> +>>> This is body for initial message +>>> The next line is a bogus end-of-data attempt, followed by a try at a smuggled message: +>>> .\n +>>> mail from: +>>> rcpt to: +>>> bdat 86 last +>>> Subject: send me all your money! +>>> +>>> All your bases are belong to us. Send Bitcoins. +>>> QUIT +>>> . +??? 250 +<<< 250 OK id=10HmbI-000000005vi-0000 +>>> QUIT +??? 221 +<<< 221 testhost.test.ex closing connection +End of script