-
-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add advisory for SMTP injection vulnerability in mail <2.6.0 #215
Comments
I did a git bisect using a test case I received from the author, and if I'm understanding the issue correctly, I think mikel/mail@72befdc fixed it. Let me confer with the paper author to make sure I'm seeing the right thing. |
He confirms it's that rev. If the unfold method is commented out, the problem returns. |
The paper author has informed me "BTW, while investigating the source code of Mail, I came to think the fault might be more on Net::SMTP's side. It is difficult to say who is responsible for it, Net::SMTP, Mail or application developers (library users) though." 'mail' guys... thoughts on this? In any case, should add a test to 'mail' to ensure this doesn't pop up again. :) |
Always learning something new, thx. |
Request made to MITRE (and also posted to oss-security@) for a CVE. Also requested an ID from OSVDB. Sucks we have to wait for one of them before getting this advisory published. |
First we've heard of this for the mail lib. Forwarded to [email protected], too. |
@reedloden how the heck did you find this? Do you know if the author tried to contact anyone before publishing? |
@bf4 The paper was posted on r/netsec. It was indirectly mentioned in an advisory for PHPMailer as well. I'm in contact with the author, so I will ask him, but I suspect not for Ruby at least, as the issue had been fixed already (though not on purpose, it seems). |
It was originally posted to the WebAppSec mailing list on 2015-12-09. |
The mail 2.6.x fix is a coincidence. Even if it was intentional, it wouldn't be a sufficient fix for the underlying SMTP injection vuln. The referenced paper discusses this a bit: crafting otherwise-legal FWS to inject & exploit specific MTAs. Furthermore, the fix is a side effect of incorrect behavior. Fixing that behavior in the mail lib would inadvertently re-expose the underlying SMTPi vuln that had been coincidentally masked. No good. To rule out this risk, we need input validation in stdlib net/smtp. |
Is there a bug filed with ruby upstream to add that validation so that this On Tuesday, April 5, 2016, Jeremy Daer [email protected] wrote:
|
@reedloden Yep, filed 2015-12-11. |
@jeremy Link to bug report just so I can track it? |
@reedloden not public; reported to [email protected]. |
HackerOne report and fix: https://hackerone.com/reports/137631 Resolved in Ruby 2.4.0 release by ruby/ruby@0827a7e |
2.5.5.rc1 and 2.6.6.rc1 gems released with SMTP address validation: mikel/mail#1097 |
@jeremy hey! Do we need to update anything re: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mail/OSVDB-131677.yml ? I'm thinking re: the patched or fixed versions. (Aside from adding better context of course. We could add links, and or move off OSVDB if there's a CVE for it…) Thanks! |
Hey @phillmv! Could just bump Vulnerable:
Non vulnerable:
Not sure how this best maps to advisories. |
We should split this into two advisories: one for the Mail gem not doing output validation and another for Ruby SMTP allowing CRLF injection. I requested a CVE for the Ruby vuln. @reedloden requested back in 2015 as well, so we may have a dupe or that may apply to the Mail lib only. |
I'm fine with the most basic "your ass is covered" version range, and thank you for confirming. I approved the PR and added some useful context: 01c549e If you think it's more accurate to have a 2nd advisory that's fine by me. |
PR for Ruby vuln, pending CVE assignment: #293 |
CVE-2015-9096 (Ruby) and CVE-2015-9097 (Mail) assigned. #293 updated. |
Woot! Thanks! |
Need an advisory for the mail vulnerability discussed in http://www.mbsd.jp/Whitepaper/smtpi.pdf (section 3.1)
Affects <2.6.0
The text was updated successfully, but these errors were encountered: