Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-4018

RCPT TO parser differencial

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 3.9.0
    • SMTPServer
    • None

    Description

      Currently a SMTP transaction parses RCPT parameters twice:

      • in RcptCmdHandler::doFilterChecks for parameter validity checks
      • in RcptCmdHandler::callHooks for actual calls of possible handlers

      1. it is wasteful?
      2. it clearly create a parser differencial as RcptCmdHandler::callHooks includes the email address in the parameter parsing.

      Valid email addresses like "anything> ORCPT=victim@target.com "@carrier.com would have no rcpt parameters as per doFilterChecks but have one as per callHooks and thus could "trick" the unsuspecting email server to "inject" RCPT parameters mid-transaction.

      Can this be exploited in a real life attack? Not sure TBH.

      How it was detected

      I spotted this weird log:

      java.lang.IllegalArgumentException: Multiple entries with same key: ,= and ,=
      	at com.google.common.collect.ImmutableMap.conflictException(ImmutableMap.java:378)
      	at com.google.common.collect.ImmutableMap.checkNoConflict(ImmutableMap.java:372)
      	at com.google.common.collect.RegularImmutableMap.checkNoConflictInKeyBucket(RegularImmutableMap.java:246)
      	at com.google.common.collect.RegularImmutableMap.fromEntryArrayCheckingBucketOverflow(RegularImmutableMap.java:133)
      	at com.google.common.collect.RegularImmutableMap.fromEntryArray(RegularImmutableMap.java:95)
      	at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:572)
      	at com.google.common.collect.ImmutableMap$Builder.buildOrThrow(ImmutableMap.java:600)
      	at com.google.common.collect.ImmutableMap$Builder.build(ImmutableMap.java:587)
      	at org.apache.james.protocols.smtp.core.RcptCmdHandler.parseParameters(RcptCmdHandler.java:230)
      	at org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:219)
      	at org.apache.james.protocols.smtp.core.RcptCmdHandler.callHook(RcptCmdHandler.java:55)
      	at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.processHooks(AbstractHookableCmdHandler.java:117)
      	at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:75)
      	at org.apache.james.protocols.smtp.core.AbstractHookableCmdHandler.onCommand(AbstractHookableCmdHandler.java:50)
      	at org.apache.james.protocols.api.handler.CommandDispatcher.dispatchCommandHandlers(CommandDispatcher.java:165)
      	at org.apache.james.protocols.api.handler.CommandDispatcher.onLine(CommandDispatcher.java:142)
      

      And reproduced it with:

      RCPT TO: <"any> ,= ,= "@ccc.fr>
      

      CF https://github.com/linagora/james-project/issues/5119

      The fix

      Like the email address use the smtp session parameters to cary over the parameters from doFilterChecks to callHooks...

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              btellier Benoit Tellier
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m