Response Injection via STARTTLS in SMTP, POP3 and IMAP
We found another STARTTLS-related issue in Mutt. Unfortunately, it affects SMTP, POP3 and IMAP.
When the server responds with its "let's do TLS now message", e.g. A OK begin TLS\r\n
in IMAP or +OK begin TLS\r\n
in POP3, Mutt will also read any data after the \r\n
and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I highly suspect that this is enough to forge an entire new mailbox in POP3 and IMAP.
There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."
May I send you some more config.ron files (with a short explanation) you can use to test this with the server you already used in the PREAUTH issue via email?
Example trace to give an intuition:
C: A starttls\r\n
S: A OK begin TLS\r\n
B OK you are logged in // injected response
<--- TLS --->
C: B login xxx xxx
// here, Mutt interprets the injected response and proceeds with something else
// an attacker can also already inject more responses and (in the worst case) mimic a whole session
C: C select inbox
...