#12086: BridgeDB accepts incoming emails sent to '[email protected]' --------------------------+-------------------------------------- Reporter: isis | Owner: isis Type: defect | Status: new Priority: major | Milestone: Component: BridgeDB | Version: Resolution: | Keywords: bridgedb-email, security Actual Points: | Parent ID: Points: | --------------------------+-------------------------------------- Description changed by isis:
Old description: > From > [https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e > this commit message] for > [https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326 > this unittest which reproduces the issue] and which is [https://travis- > ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with > this error]: > > > BridgeDB's current code will accept an incoming email with a `To: > [email protected]` header. However, BridgeDB's reply will still > contain: `From: [email protected]`. > > > > Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT > TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue. > Though, if the outside SMTP layer is sent to > `'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo > address), these messages still end up in BridgeDB's mail queue. > > > > The following netcat session demonstrates that this is possible: > > > > {{{ > > ∃!isisⒶwintermute:(master *$=)~ ∴ torsocks nc bridges.torproject.org > 25 > > 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU) > > HELO ponticum.torproject.org > > 250 ponticum.torproject.org > > MAIL FROM: [email protected] > > 250 2.1.0 Ok > > RCPT TO: [email protected] > > 250 2.1.5 Ok > > DATA > > 354 End data with <CR><LF>.<CR><LF> > > From: [email protected] > > To: [email protected] > > Subject: mwhahaha > > > > get transport obfs3 > > . > > 250 2.0.0 Ok: queued as F03972834F > > QUIT > > 221 2.0.0 Bye > > }}} > > > > This request resulted in the following... > > Although these logs ''were'' taken from the currently live server, they > are "sanitised".¹ > > ¹ Where "sanitised" means "all bridge info, including IP addresses and > hashes, are faked" and "all email addresses are mine". > > > ...debug logs: > > > > {{{ > > 15:30:31 DEBUG L690:server.validateFrom() ORIGIN: > "'<bridgedb@ponticum>'" > > 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain: > 'ponticum' > > 15:30:31 DEBUG L495:server.lineReceived() > Received: from > ponticum (ponticum [127.0.0.1]) for <bridges@bridgedb>; Wed, 21 May 2014 > 15:30:31 +0000 > > 15:30:31 DEBUG L495:server.lineReceived() > From > [email protected] Wed May 21 15:30:31 2014 > > 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To: > [email protected] > > 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To: > [email protected] > > 15:30:31 DEBUG L495:server.lineReceived() > Received: from > ponticum.torproject.org (kpebetka.net [95.79.25.182]) > > 15:30:31 DEBUG L495:server.lineReceived() > by > ponticum.torproject.org (Postfix) with SMTP id F03972834F > > 15:30:31 DEBUG L495:server.lineReceived() > for > <[email protected]>; Wed, 21 May 2014 15:29:18 +0000 (UTC) > > 15:30:31 DEBUG L495:server.lineReceived() > From: > [email protected] > > 15:30:31 DEBUG L495:server.lineReceived() > To: > [email protected] > > 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha > > 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM- > Authentication-Results: dunno > > 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May > 2014 15:30:31 -0000 > > 15:30:31 DEBUG L495:server.lineReceived() > Message-Id: > <1400686231.135135.6548@ponticum> > > 15:30:31 DEBUG L495:server.lineReceived() > > > 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3 > > 15:30:31 DEBUG L495:server.lineReceived() > > > 15:30:31 INFO L611:server.reply() Got an email; deciding > whether to reply. > > 15:30:31 INFO L646:server.reply() Client requested email > translation: en > > 15:30:31 DEBUG L70:request.determineBridg() Email request was > valid. > > 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport' > line: 'get transport obfs3' > > 15:30:31 INFO L169:request.withPluggableT() Email requested > transport type: 'obfs3' > > 15:30:31 DEBUG L81:request.determineBridg() Generating hashring > filters for request. > > 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return > for 3 bridges for [email protected]... > > 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit > frozenset([<function filterBridgesByTransport(obfs3,<class > 'ipaddr.IPv4Address'>)>]) > > 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges > from ring of len: 492 > > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge > 'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position > 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'. > > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge > 'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position > 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'. > > 15:30:31 DEBUG L183:server.generateRespons() Email contents: > > From: [email protected] > > To: [email protected] > > Message-ID: > <[email protected]> > > In-Reply-To: <1400686231.135135.6548@ponticum> > > Content-Type: text/plain; charset="utf-8" > > Date: Wed, 21 May 2014 15:30:31 +0000 > > Subject: Re: mwhahaha > > > > > > Hey, isislovecruft! > > > > [This is an automated message; please do not reply.] > > > > Here are your bridges: > > > > obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41 > > obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4 > > obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2 > > > > > > To enter bridges into Tor Browser, follow the instructions on the Tor > > Browser download page [0] to start Tor Browser. > > > > When the 'Tor Network Settings' dialogue pops up, click 'Configure' and > follow > > the wizard until it asks: > > > > > Does your Internet Service Provider (ISP) block or otherwise censor > connections > > > to the Tor network? > > > > Select 'Yes' and then click 'Next'. To configure your new bridges, copy > and > > paste the bridge lines into the text input box. Finally, click > 'Connect', and > > you should be good to go! If you experience trouble, try clicking the > 'Help' > > button in the 'Tor Network Settings' wizard for further assistance. > > > > [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads- > beta > > > > > > > > COMMANDs: (combine COMMANDs to specify multiple options simultaneously) > > get bridges Request vanilla bridges. > > get transport [TYPE] Request a Pluggable Transport by TYPE. > > get help Displays this message. > > get key Get a copy of BridgeDB's public GnuPG key. > > get ipv6 Request IPv6 bridges. > > > > Currently supported transport TYPEs: > > obfs2 > > obfs3 > > scramblesuit > > > > > > -- > > <3 BridgeDB > > > > ---------------------------------------------------------------------- > > Public Keys: https://bridges.torproject.org/keys > > This email was generated with rainbows, unicorns, and sparkles > > for [email protected] on Wednesday, 21 May, 2014 at 15:30:31. > > > > > > 15:30:31 INFO L655:server.reply() Sending reply to > [email protected] > > }}} > > > > The other two bugs detailed in the above commit message are tickets > #12089 and #XXX respectively. New description: From [https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e this commit message] for [https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326 this unittest which reproduces the issue] and which is [https://travis- ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with this error]: > BridgeDB's current code will accept an incoming email with a `To: [email protected]` header. However, BridgeDB's reply will still contain: `From: [email protected]`. > > Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue. Though, if the outside SMTP layer is sent to `'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo address), these messages still end up in BridgeDB's mail queue. > > The following netcat session demonstrates that this is possible: > > {{{ > ∃!isisⒶwintermute:(master *$=)~ ∴ torsocks nc bridges.torproject.org 25 > 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU) > HELO ponticum.torproject.org > 250 ponticum.torproject.org > MAIL FROM: [email protected] > 250 2.1.0 Ok > RCPT TO: [email protected] > 250 2.1.5 Ok > DATA > 354 End data with <CR><LF>.<CR><LF> > From: [email protected] > To: [email protected] > Subject: mwhahaha > > get transport obfs3 > . > 250 2.0.0 Ok: queued as F03972834F > QUIT > 221 2.0.0 Bye > }}} > > This request resulted in the following... Although these logs ''were'' taken from the currently live server, they are "sanitised".¹ ¹ Where "sanitised" means "all bridge info, including IP addresses and hashes, are faked" and "all email addresses are mine". > ...debug logs: > > {{{ > 15:30:31 DEBUG L690:server.validateFrom() ORIGIN: "'<bridgedb@ponticum>'" > 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain: 'ponticum' > 15:30:31 DEBUG L495:server.lineReceived() > Received: from ponticum (ponticum [127.0.0.1]) for <bridges@bridgedb>; Wed, 21 May 2014 15:30:31 +0000 > 15:30:31 DEBUG L495:server.lineReceived() > From [email protected] Wed May 21 15:30:31 2014 > 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To: [email protected] > 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To: [email protected] > 15:30:31 DEBUG L495:server.lineReceived() > Received: from ponticum.torproject.org (kpebetka.net [95.79.25.182]) > 15:30:31 DEBUG L495:server.lineReceived() > by ponticum.torproject.org (Postfix) with SMTP id F03972834F > 15:30:31 DEBUG L495:server.lineReceived() > for <[email protected]>; Wed, 21 May 2014 15:29:18 +0000 (UTC) > 15:30:31 DEBUG L495:server.lineReceived() > From: [email protected] > 15:30:31 DEBUG L495:server.lineReceived() > To: [email protected] > 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha > 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM-Authentication- Results: dunno > 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May 2014 15:30:31 -0000 > 15:30:31 DEBUG L495:server.lineReceived() > Message-Id: <1400686231.135135.6548@ponticum> > 15:30:31 DEBUG L495:server.lineReceived() > > 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3 > 15:30:31 DEBUG L495:server.lineReceived() > > 15:30:31 INFO L611:server.reply() Got an email; deciding whether to reply. > 15:30:31 INFO L646:server.reply() Client requested email translation: en > 15:30:31 DEBUG L70:request.determineBridg() Email request was valid. > 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport' line: 'get transport obfs3' > 15:30:31 INFO L169:request.withPluggableT() Email requested transport type: 'obfs3' > 15:30:31 DEBUG L81:request.determineBridg() Generating hashring filters for request. > 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return for 3 bridges for [email protected]... > 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit frozenset([<function filterBridgesByTransport(obfs3,<class 'ipaddr.IPv4Address'>)>]) > 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges from ring of len: 492 > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge 'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'. > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge 'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'. > 15:30:31 DEBUG L183:server.generateRespons() Email contents: > From: [email protected] > To: [email protected] > Message-ID: <[email protected]> > In-Reply-To: <1400686231.135135.6548@ponticum> > Content-Type: text/plain; charset="utf-8" > Date: Wed, 21 May 2014 15:30:31 +0000 > Subject: Re: mwhahaha > > > Hey, isislovecruft! > > [This is an automated message; please do not reply.] > > Here are your bridges: > > obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41 > obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4 > obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2 > > > To enter bridges into Tor Browser, follow the instructions on the Tor > Browser download page [0] to start Tor Browser. > > When the 'Tor Network Settings' dialogue pops up, click 'Configure' and follow > the wizard until it asks: > > > Does your Internet Service Provider (ISP) block or otherwise censor connections > > to the Tor network? > > Select 'Yes' and then click 'Next'. To configure your new bridges, copy and > paste the bridge lines into the text input box. Finally, click 'Connect', and > you should be good to go! If you experience trouble, try clicking the 'Help' > button in the 'Tor Network Settings' wizard for further assistance. > > [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads- beta > > > > COMMANDs: (combine COMMANDs to specify multiple options simultaneously) > get bridges Request vanilla bridges. > get transport [TYPE] Request a Pluggable Transport by TYPE. > get help Displays this message. > get key Get a copy of BridgeDB's public GnuPG key. > get ipv6 Request IPv6 bridges. > > Currently supported transport TYPEs: > obfs2 > obfs3 > scramblesuit > > > -- > <3 BridgeDB > > ---------------------------------------------------------------------- > Public Keys: https://bridges.torproject.org/keys > This email was generated with rainbows, unicorns, and sparkles > for [email protected] on Wednesday, 21 May, 2014 at 15:30:31. > > > 15:30:31 INFO L655:server.reply() Sending reply to [email protected] > }}} > The other two bugs detailed in the above commit message are tickets #12089 and #12091 respectively. -- -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12086#comment:2> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
