Response Injection via STARTTLS in SMTP, POP3 and IMAP

We found another STARTTLS-related issue in Mutt. Unfortunately, it affects SMTP, POP3 and IMAP.

When the server responds with its "let's do TLS now message", e.g. A OK begin TLS\r\n in IMAP or +OK begin TLS\r\n in POP3, Mutt will also read any data after the \r\n and save it into some internal buffer for later processing. This is problematic, because a MITM attacker can inject arbitrary responses. I havn't tested it to this extent, but I highly suspect that this is enough to forge an entire new mailbox in POP3 and IMAP.

There is a nice blogpost by Wietse Venema about a "command injection" in postfix (http://www.postfix.org/CVE-2011-0411.html). What we have here is the problem in reverse, i.e. not a command injection, but a "response injection."

May I send you some more config.ron files (with a short explanation) you can use to test this with the server you already used in the PREAUTH issue via email?

Example trace to give an intuition:

C: A starttls\r\n
S: A OK begin TLS\r\n
   B OK you are logged in // injected response
<--- TLS --->
C: B login xxx xxx
// here, Mutt interprets the injected response and proceeds with something else
// an attacker can also already inject more responses and (in the worst case) mimic a whole session 
C: C select inbox
...

Edited Jun 16, 2020 by Damian Poddebniak