K 10
svn:author
V 6
iulius
K 8
svn:date
V 27
2011-07-05T20:37:42.217435Z
K 7
svn:log
V 1849
STARTTLS / AUTHINFO SASL plaintext command injection

Fixed a possible plaintext command injection during the negotiation of a
TLS layer.  The vulnerability detailed in CVE-2011-0411 affects the STARTTLS
and AUTHINFO SASL commands.  nnrpd now resets its read buffer upon a
successful negotiation of a TLS layer.  It prevents malicious commands, sent
unencrypted, from being executed in the new encrypted state of the session.

The issue has been present since INN 2.3.0 (when STARTTLS was implemented).

Confirmed when sending "STARTTLS\r\nDATE\r\n" with openssl:


17:04 news@trigo ~/work/openssl/openssl-1.0.0d% apps/openssl s_client -quiet -starttls smtp -connect news.trigofacile.com:119
didn't found starttls in server response, try anyway...
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify return:1
500 What?
111 20110403150413
QUIT
205 Bye!

The 500 artefact is because of the EHLO sent by openssl before STARTTLS.
We see here that the DATE command is answered.




With this patch, here is a new attempt with openssl:

17:06 news@trigo ~/work/openssl/openssl-1.0.0d% apps/openssl s_client -quiet -starttls smtp -connect news.trigofacile.com:119
didn't found starttls in server response, try anyway...
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = FR, ST = news.trigofacile.com, O = news.trigofacile.com, CN = news.trigofacile.com
verify return:1
500 What?
DATE
111 20110403150638
QUIT
205 Bye!

The answer to DATE is not given after "500 What?".  We had to explicitly
ask for it.
The issue is therefore solved.

END
