smtpmail.el security flaw in selecting authentication mechanism

smtpmail.el security flaw in selecting authentication mechanism

[Simon Josefsson]

I just noticed that smtpmail.el chose to use the LOGIN mechanism against
gmail.com which was surprising because they support PLAIN, which should
be preferred.  Debugging this I noticed this is the code that is
responsible for selecting the authentication mechanism to use:

(defun smtpmail-try-auth-methods (process supported-extensions host port)
  (let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
	 (mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))

Some experiments with this:

(smtpmail-intersection smtpmail-auth-supported '(login plain cram-md5))
(login plain cram-md5)

Thus the code choses the first supported mechanism in the _servers_
order.  It should use the local list instead.  Compare:

(smtpmail-intersection '(login plain cram-md5) smtpmail-auth-supported)
(cram-md5 plain login)

The patch below fixes this.  I have committed it on the trunk.  Maybe it
it should be backported in case you make releases from another branch?

This can be a security problem, since it allows the server to control
whether for example LOGIN or PLAIN (that sends the password in
plaintext) is used instead of CRAM-MD5 (which does not).  Of course,
security aware people use STARTTLS anyway, which should mitigate this.

/Simon

Index: lisp/ChangeLog
===================================================================
RCS file: /sources/emacs/emacs/lisp/ChangeLog,v
retrieving revision 1.15426
diff -u -p -r1.15426 ChangeLog
--- lisp/ChangeLog	3 Mar 2009 16:12:02 -0000	1.15426
+++ lisp/ChangeLog	3 Mar 2009 16:22:18 -0000
@@ -1,3 +1,11 @@
+2009-03-03  Simon Josefsson  <simon@josefsson.org>
+
+	* mail/smtpmail.el (smtpmail-auth-supported): Mention that list is
+	in preference order.
+	(smtpmail-try-auth-methods): Improve which authentication
+	mechanism to use, so that the locally most preferred and mutually
+	supported mechanism is used.
+
 2009-03-03  Stefan Monnier  <monnier@iro.umontreal.ca>
 
 	* emacs-lisp/lisp.el (end-of-defun-function): Make it more clear that
Index: lisp/mail/smtpmail.el
===================================================================
RCS file: /sources/emacs/emacs/lisp/mail/smtpmail.el,v
retrieving revision 1.108
diff -u -p -r1.108 smtpmail.el
--- lisp/mail/smtpmail.el	5 Jan 2009 03:22:37 -0000	1.108
+++ lisp/mail/smtpmail.el	3 Mar 2009 16:22:18 -0000
@@ -218,7 +218,8 @@ This is relative to `smtpmail-queue-dir'
 (defvar smtpmail-read-point)
 
 (defconst smtpmail-auth-supported '(cram-md5 plain login)
-  "List of supported SMTP AUTH mechanisms.")
+  "List of supported SMTP AUTH mechanisms.
+The list is in preference order.")
 
 (defvar smtpmail-mail-address nil
   "Value to use for envelope-from address for mail from ambient buffer.")
@@ -534,7 +535,7 @@ This is relative to `smtpmail-queue-dir'
 
 (defun smtpmail-try-auth-methods (process supported-extensions host port)
   (let* ((mechs (cdr-safe (assoc 'auth supported-extensions)))
-	 (mech (car (smtpmail-intersection smtpmail-auth-supported mechs)))
+	 (mech (car (smtpmail-intersection mechs smtpmail-auth-supported)))
 	 (auth-user (auth-source-user-or-password
 		     "login" host (or port "smtp")))
 	 (auth-pass (auth-source-user-or-password

Re: smtpmail.el security flaw in selecting authentication mechanism

[Stefan Monnier]

> The patch below fixes this.  I have committed it on the trunk.  Maybe it
> it should be backported in case you make releases from another branch?

We haven't cut a branch for the release yet.  Thank you for installing
the patch.


        Stefan

Re: smtpmail.el security flaw in selecting authentication mechanism

[Richard M Stallman]

I am pretty sure we don't plan to make another release of Emacs 22.
Do you think we should make one just on account of this?

Re: smtpmail.el security flaw in selecting authentication mechanism

[Simon Josefsson]

Richard M Stallman <rms@gnu.org> writes:

> I am pretty sure we don't plan to make another release of Emacs 22.
> Do you think we should make one just on account of this?

No.

/Simon

Re: smtpmail.el security flaw in selecting authentication mechanism

[Stefan Monnier]

> I am pretty sure we don't plan to make another release of Emacs 22.
> Do you think we should make one just on account of this?

No, it's not a serious security flaw: it still only uses one of the
protocols that we accept to use.  It just might choose a less
desirable one.


        Stefan