[tor-bugs] #12086 [BridgeDB]: BridgeDB accepts incoming emails sent to 'givemebridges at serious.ly'
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 21 19:27:30 UTC 2014
#12086: BridgeDB accepts incoming emails sent to 'givemebridges at serious.ly'
--------------------------+--------------------------------------
Reporter: isis | Owner: isis
Type: defect | Status: new
Priority: major | Milestone:
Component: BridgeDB | Version:
Resolution: | Keywords: bridgedb-email, security
Actual Points: | Parent ID:
Points: |
--------------------------+--------------------------------------
Description changed by isis:
Old description:
> From
> [https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
> this commit message] for
> [https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
> this unittest which reproduces the issue] and which is [https://travis-
> ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with
> this error]:
>
> > BridgeDB's current code will accept an incoming email with a `To:
> givemebridges at serious.ly` header. However, BridgeDB's reply will still
> contain: `From: bridges at torproject.org`.
> >
> > Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT
> TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue.
> Though, if the outside SMTP layer is sent to
> `'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo
> address), these messages still end up in BridgeDB's mail queue.
> >
> > The following netcat session demonstrates that this is possible:
> >
> > {{{
> > ∃!isisⒶwintermute:(master *$=)~ ∴ torsocks nc bridges.torproject.org
> 25
> > 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU)
> > HELO ponticum.torproject.org
> > 250 ponticum.torproject.org
> > MAIL FROM: isisgrimalkin at gmail.com
> > 250 2.1.0 Ok
> > RCPT TO: bridges at bridges.torproject.org
> > 250 2.1.5 Ok
> > DATA
> > 354 End data with <CR><LF>.<CR><LF>
> > From: isislovecruft at gmail.com
> > To: givemebridgesrightnow at serious.ly
> > Subject: mwhahaha
> >
> > get transport obfs3
> > .
> > 250 2.0.0 Ok: queued as F03972834F
> > QUIT
> > 221 2.0.0 Bye
> > }}}
> >
> > This request resulted in the following...
>
> Although these logs ''were'' taken from the currently live server, they
> are "sanitised".¹
>
> ¹ Where "sanitised" means "all bridge info, including IP addresses and
> hashes, are faked" and "all email addresses are mine".
>
> > ...debug logs:
> >
> > {{{
> > 15:30:31 DEBUG L690:server.validateFrom() ORIGIN:
> "'<bridgedb at ponticum>'"
> > 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain:
> 'ponticum'
> > 15:30:31 DEBUG L495:server.lineReceived() > Received: from
> ponticum (ponticum [127.0.0.1]) for <bridges at bridgedb>; Wed, 21 May 2014
> 15:30:31 +0000
> > 15:30:31 DEBUG L495:server.lineReceived() > From
> isisgrimalkin at gmail.com Wed May 21 15:30:31 2014
> > 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To:
> bridges at bridges.torproject.org
> > 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To:
> bridgedb at ponticum.torproject.org
> > 15:30:31 DEBUG L495:server.lineReceived() > Received: from
> ponticum.torproject.org (kpebetka.net [95.79.25.182])
> > 15:30:31 DEBUG L495:server.lineReceived() > by
> ponticum.torproject.org (Postfix) with SMTP id F03972834F
> > 15:30:31 DEBUG L495:server.lineReceived() > for
> <bridges at bridges.torproject.org>; Wed, 21 May 2014 15:29:18 +0000 (UTC)
> > 15:30:31 DEBUG L495:server.lineReceived() > From:
> isislovecruft at gmail.com
> > 15:30:31 DEBUG L495:server.lineReceived() > To:
> givemebridgesrightnow at serious.ly
> > 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha
> > 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM-
> Authentication-Results: dunno
> > 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May
> 2014 15:30:31 -0000
> > 15:30:31 DEBUG L495:server.lineReceived() > Message-Id:
> <1400686231.135135.6548 at ponticum>
> > 15:30:31 DEBUG L495:server.lineReceived() >
> > 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3
> > 15:30:31 DEBUG L495:server.lineReceived() >
> > 15:30:31 INFO L611:server.reply() Got an email; deciding
> whether to reply.
> > 15:30:31 INFO L646:server.reply() Client requested email
> translation: en
> > 15:30:31 DEBUG L70:request.determineBridg() Email request was
> valid.
> > 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport'
> line: 'get transport obfs3'
> > 15:30:31 INFO L169:request.withPluggableT() Email requested
> transport type: 'obfs3'
> > 15:30:31 DEBUG L81:request.determineBridg() Generating hashring
> filters for request.
> > 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return
> for 3 bridges for isislovecruft at gmail.com...
> > 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit
> frozenset([<function filterBridgesByTransport(obfs3,<class
> 'ipaddr.IPv4Address'>)>])
> > 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges
> from ring of len: 492
> > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
> 'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position
> 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> > 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
> 'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position
> 'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> > 15:30:31 DEBUG L183:server.generateRespons() Email contents:
> > From: bridges at torproject.org
> > To: isislovecruft at gmail.com
> > Message-ID:
> <20140521153031.21456.73227139.10726 at ponticum.torproject.org>
> > In-Reply-To: <1400686231.135135.6548 at ponticum>
> > Content-Type: text/plain; charset="utf-8"
> > Date: Wed, 21 May 2014 15:30:31 +0000
> > Subject: Re: mwhahaha
> >
> >
> > Hey, isislovecruft!
> >
> > [This is an automated message; please do not reply.]
> >
> > Here are your bridges:
> >
> > obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41
> > obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4
> > obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2
> >
> >
> > To enter bridges into Tor Browser, follow the instructions on the Tor
> > Browser download page [0] to start Tor Browser.
> >
> > When the 'Tor Network Settings' dialogue pops up, click 'Configure' and
> follow
> > the wizard until it asks:
> >
> > > Does your Internet Service Provider (ISP) block or otherwise censor
> connections
> > > to the Tor network?
> >
> > Select 'Yes' and then click 'Next'. To configure your new bridges, copy
> and
> > paste the bridge lines into the text input box. Finally, click
> 'Connect', and
> > you should be good to go! If you experience trouble, try clicking the
> 'Help'
> > button in the 'Tor Network Settings' wizard for further assistance.
> >
> > [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads-
> beta
> >
> >
> >
> > COMMANDs: (combine COMMANDs to specify multiple options simultaneously)
> > get bridges Request vanilla bridges.
> > get transport [TYPE] Request a Pluggable Transport by TYPE.
> > get help Displays this message.
> > get key Get a copy of BridgeDB's public GnuPG key.
> > get ipv6 Request IPv6 bridges.
> >
> > Currently supported transport TYPEs:
> > obfs2
> > obfs3
> > scramblesuit
> >
> >
> > --
> > <3 BridgeDB
> >
> > ----------------------------------------------------------------------
> > Public Keys: https://bridges.torproject.org/keys
> > This email was generated with rainbows, unicorns, and sparkles
> > for isislovecruft at gmail.com on Wednesday, 21 May, 2014 at 15:30:31.
> >
> >
> > 15:30:31 INFO L655:server.reply() Sending reply to
> isislovecruft at gmail.com
> > }}}
> >
>
> The other two bugs detailed in the above commit message are tickets
> #12089 and #XXX respectively.
New description:
From
[https://gitweb.torproject.org/user/isis/bridgedb.git/commitdiff/4c18a4e2b89872c5731d4301665642065980086e
this commit message] for
[https://gitweb.torproject.org/user/isis/bridgedb.git/blob/4c18a4e2b89872c5731d4301665642065980086e:/lib/bridgedb/test/test_email_server.py#l326
this unittest which reproduces the issue] and which is [https://travis-
ci.org/isislovecruft/bridgedb/jobs/25714425#L1679 currently failing with
this error]:
> BridgeDB's current code will accept an incoming email with a `To:
givemebridges at serious.ly` header. However, BridgeDB's reply will still
contain: `From: bridges at torproject.org`.
>
> Obviously, it ''shouldn't'' be possible for any email whose SMTP `RCPT
TO` domain is `'serious.ly'` to actually end up in BridgeDB's mail queue.
Though, if the outside SMTP layer is sent to
`'[bridges|ponticum].torproject.org'` (with `MAIL FROM:` a gmail/yahoo
address), these messages still end up in BridgeDB's mail queue.
>
> The following netcat session demonstrates that this is possible:
>
> {{{
> ∃!isisⒶwintermute:(master *$=)~ ∴ torsocks nc bridges.torproject.org
25
> 220 ponticum.torproject.org ESMTP Postfix (Debian/GNU)
> HELO ponticum.torproject.org
> 250 ponticum.torproject.org
> MAIL FROM: isisgrimalkin at gmail.com
> 250 2.1.0 Ok
> RCPT TO: bridges at bridges.torproject.org
> 250 2.1.5 Ok
> DATA
> 354 End data with <CR><LF>.<CR><LF>
> From: isislovecruft at gmail.com
> To: givemebridgesrightnow at serious.ly
> Subject: mwhahaha
>
> get transport obfs3
> .
> 250 2.0.0 Ok: queued as F03972834F
> QUIT
> 221 2.0.0 Bye
> }}}
>
> This request resulted in the following...
Although these logs ''were'' taken from the currently live server, they
are "sanitised".¹
¹ Where "sanitised" means "all bridge info, including IP addresses and
hashes, are faked" and "all email addresses are mine".
> ...debug logs:
>
> {{{
> 15:30:31 DEBUG L690:server.validateFrom() ORIGIN:
"'<bridgedb at ponticum>'"
> 15:30:31 DEBUG L699:server.validateFrom() Got canonical domain:
'ponticum'
> 15:30:31 DEBUG L495:server.lineReceived() > Received: from
ponticum (ponticum [127.0.0.1]) for <bridges at bridgedb>; Wed, 21 May 2014
15:30:31 +0000
> 15:30:31 DEBUG L495:server.lineReceived() > From
isisgrimalkin at gmail.com Wed May 21 15:30:31 2014
> 15:30:31 DEBUG L495:server.lineReceived() > X-Original-To:
bridges at bridges.torproject.org
> 15:30:31 DEBUG L495:server.lineReceived() > Delivered-To:
bridgedb at ponticum.torproject.org
> 15:30:31 DEBUG L495:server.lineReceived() > Received: from
ponticum.torproject.org (kpebetka.net [95.79.25.182])
> 15:30:31 DEBUG L495:server.lineReceived() > by
ponticum.torproject.org (Postfix) with SMTP id F03972834F
> 15:30:31 DEBUG L495:server.lineReceived() > for
<bridges at bridges.torproject.org>; Wed, 21 May 2014 15:29:18 +0000 (UTC)
> 15:30:31 DEBUG L495:server.lineReceived() > From:
isislovecruft at gmail.com
> 15:30:31 DEBUG L495:server.lineReceived() > To:
givemebridgesrightnow at serious.ly
> 15:30:31 DEBUG L495:server.lineReceived() > Subject: mwhahaha
> 15:30:31 DEBUG L495:server.lineReceived() > X-DKIM-Authentication-
Results: dunno
> 15:30:31 DEBUG L495:server.lineReceived() > Date: Wed, 21 May 2014
15:30:31 -0000
> 15:30:31 DEBUG L495:server.lineReceived() > Message-Id:
<1400686231.135135.6548 at ponticum>
> 15:30:31 DEBUG L495:server.lineReceived() >
> 15:30:31 DEBUG L495:server.lineReceived() > get transport obfs3
> 15:30:31 DEBUG L495:server.lineReceived() >
> 15:30:31 INFO L611:server.reply() Got an email; deciding
whether to reply.
> 15:30:31 INFO L646:server.reply() Client requested email
translation: en
> 15:30:31 DEBUG L70:request.determineBridg() Email request was valid.
> 15:30:31 DEBUG L160:request.withPluggableT() Parsing 'transport'
line: 'get transport obfs3'
> 15:30:31 INFO L169:request.withPluggableT() Email requested
transport type: 'obfs3'
> 15:30:31 DEBUG L81:request.determineBridg() Generating hashring
filters for request.
> 15:30:31 INFO L420:Dist.getBridgesForEmai() Attempting to return for
3 bridges for isislovecruft at gmail.com...
> 15:30:31 DEBUG L445:Dist.getBridgesForEmai() Cache hit
frozenset([<function filterBridgesByTransport(obfs3,<class
'ipaddr.IPv4Address'>)>])
> 15:30:31 DEBUG L75:Dist.getNumBridgesPerA() Returning 3 bridges from
ring of len: 492
> 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
'edfa2fd66533da52f40424bbe917bd03c8378c2d' in main hashring for position
'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> 15:30:31 DEBUG L1034:Bridges.getBridges() Got duplicate bridge
'ed0b2fd66f398afbf10424bb911790faca9ddb8e' in main hashring for position
'eda7f69f7c08bd80861c3afa2921168a007d9ae5'.
> 15:30:31 DEBUG L183:server.generateRespons() Email contents:
> From: bridges at torproject.org
> To: isislovecruft at gmail.com
> Message-ID:
<20140521153031.21456.73227139.10726 at ponticum.torproject.org>
> In-Reply-To: <1400686231.135135.6548 at ponticum>
> Content-Type: text/plain; charset="utf-8"
> Date: Wed, 21 May 2014 15:30:31 +0000
> Subject: Re: mwhahaha
>
>
> Hey, isislovecruft!
>
> [This is an automated message; please do not reply.]
>
> Here are your bridges:
>
> obfs3 10.1.1.1:1111 d14133856abbba8a65607baebf692162c567bf41
> obfs3 10.2.2.2:2222 86f45ab5dcef80a4b1abfcc43579e76f1d0b25a4
> obfs3 10.3.3.3:3333 5d55daabd91e041e74f62dcfab1a29c8bb32f0b2
>
>
> To enter bridges into Tor Browser, follow the instructions on the Tor
> Browser download page [0] to start Tor Browser.
>
> When the 'Tor Network Settings' dialogue pops up, click 'Configure' and
follow
> the wizard until it asks:
>
> > Does your Internet Service Provider (ISP) block or otherwise censor
connections
> > to the Tor network?
>
> Select 'Yes' and then click 'Next'. To configure your new bridges, copy
and
> paste the bridge lines into the text input box. Finally, click
'Connect', and
> you should be good to go! If you experience trouble, try clicking the
'Help'
> button in the 'Tor Network Settings' wizard for further assistance.
>
> [0]: https://www.torproject.org/projects/torbrowser.html.en#downloads-
beta
>
>
>
> COMMANDs: (combine COMMANDs to specify multiple options simultaneously)
> get bridges Request vanilla bridges.
> get transport [TYPE] Request a Pluggable Transport by TYPE.
> get help Displays this message.
> get key Get a copy of BridgeDB's public GnuPG key.
> get ipv6 Request IPv6 bridges.
>
> Currently supported transport TYPEs:
> obfs2
> obfs3
> scramblesuit
>
>
> --
> <3 BridgeDB
>
> ----------------------------------------------------------------------
> Public Keys: https://bridges.torproject.org/keys
> This email was generated with rainbows, unicorns, and sparkles
> for isislovecruft at gmail.com on Wednesday, 21 May, 2014 at 15:30:31.
>
>
> 15:30:31 INFO L655:server.reply() Sending reply to
isislovecruft at gmail.com
> }}}
>
The other two bugs detailed in the above commit message are tickets #12089
and #12091 respectively.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12086#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list