Professional Documents
Culture Documents
next. PIPELINING [12] preserves this principle, too. TLS” as of January 2021.
session to obtain sensitive data, i.e., “to bypass STARTTLS”, 3.1.2 Extension of well-known Issues
or to introduce meaningful changes to a client, i.e., to tamper
In its original description of the SMTP command injection
with application state.
Wietse Venema noted that “injected commands could be used
In order to uncover potential issues with STARTTLS, we
to steal the victim’s email or SASL (...) username and pass-
conducted semi-automatic network-only tests. Network-based
word” [33], but no concrete attacks were described since the
testing covers a wide range of software – notably, they allowed
description of that bug in 2011. We re-evaluate the impact
us to test the very popular “cloud mail” applications for An-
of the command injection, describe concrete exploits and
droid and iOS – and do not require setting up a per-application
their limitations, and introduce a cross-protocol attack, which
test harness. Some tests are semi-automatic because certain
allows hosting HTTPS websites under the certificate of an
classes of issues, i.e., UI spoofing issues, are difficult to detect
affected email server. Similarly, Wietse Venema also noted
automatically but are easily noticed by analysts.
that “A similar plaintext injection flaw may exist in the way
Our test system is configured with test case configurations
SMTP clients handle SMTP-over-TLS server responses” [33]
that precisely define which response is sent to which com-
but assumed that “its impact is less interesting” [33]. No (pub-
mand in a protocol session. The remainder of this section
lic) analysis of this issue was ever conducted. We developed
covers test case creation and explains which assumptions we
a testing approach to find this bug in email clients and show
made to reduce the number of test cases to a manageable
that it allows severe attacks such as mailbox tampering and
amount. In other words, it explains when we send which mes-
even credential stealing (under certain conditions).
sages in a simulated MitM scenario to detect STARTTLS
Similarly, even though two forms of STARTTLS stripping
issues.
attacks were described, several more variants exist. We show
that STARTTLS stripping attacks may be easily overlooked
3.1 Systematization of STARTTLS Issues during testing, and its impact is not always as clear as implied
We define STARTTLS issues as those issues which would not by the protocol standards.
exist if implicit TLS had been used exclusively. Specifically, After the discovery of the PREAUTH issue in the email
we end a test when we can plausibly assume that a session client Trojitá, Jan Kundrát, the author of Trojitá, made the
reached a state equivalent to the initial state it would have correct assessment and concluded that “(plaintext) creden-
reached via implicit TLS. Sessions that do not reach this state, tials will never be transmitted (...) even in presence of this
e.g., because TLS was never negotiated (Negotiation issues) attack” [19]. However, our evaluation shows that this issue
and sessions that negotiated TLS, but whose state is differ- is prevalent, and we demonstrate how to escalate its impact
ent from a session made with implicit TLS (Buffering and to obtain user credentials, too. Interestingly, this is possible
Tampering issues), are candidates for further security analy- using only standard-conforming IMAP features – which were
sis. This notion captures the few STARTTLS-specific issues simply not supported by Trojitá.
described in the standards and provides a basis to identify
novel ones. However, it has an oversight: a client that shows 3.1.3 Novel Issues
“insecure” behavior, e.g., by displaying a spoofed dialogue All other issues discussed throughout this paper are novel.
(UI Spoofing issues), may still reach the implicit TLS state Note, however, that the testing approach we introduce later
and conforms to the above definition. Thus, we also consider in this section also happens to include all well-known issues,
these cases. indicating good coverage of our test approach.
Listing 3: Command Injection: A plaintext command is Listing 4: Response Injection: An encrypted command is
answered with an encrypted response. answered with a plaintext response.
While, in general, this is not a problem and might even be de- 1 S: 220 <text>
sirable for multi-line responses and PIPELINING, it becomes 2 // ^^^ ^^^^^^
3 // A B
a problem when dealing with context switches, where any 4 C: EHLO alice // C
remaining data from the previous phase should not crossover 5 S: 250-example.org
6 // ^^^
into the new phase. 7 // D
Typically, a single session, e.g., an implicit TLS session, 8 .. 250-AUTH PLAIN // E
9 .. 250 STARTTLS // E
has no additional security boundaries where a change from 10 C: STARTTLS // F
unauthenticated to authenticated data occurs. Thus, it is not 11 S: 220 <text>
12 // ^^^ ^^^^^^
required to think about the position of data in a lower layer, 13 // G H
i.e., in TCP segments. However, in STARTTLS, such a con- 14
15 // ------------------ TLS Handshake (I) -------------------
text switch occurs, and trailing data might crossover from 16 // J
the plaintext phase to the encrypted phase, making it indistin- 17 C: EHLO alice // K
18 S: 250-example.org // K
guishable from encrypted data. 19 .. 250 AUTH PLAIN // K
3.4.1 Negotiation Tampering with the Mailbox (TM ) An attacker can tamper
with local mailbox data by sending IMAP’s data responses
STARTTLS Stripping (NS ) STARTTLS stripping issues before STARTTLS. This class of attacks is less likely in
are the most prominent negotiation issues and have been doc- POP3 because – as outlined in our discussion of when to send
umented for more than 20 years. Two variants of STARTTLS messages – a client would be required to request that data
stripping attacks are documented in the standards [2, 14, 29]: first. However, it would need to log in to do so, at which point
removing STARTTLS from the capability list and rejecting an attacker would have access to the credentials regardless.
the STARTTLS command. SMTP does not define “data responses”, which leaves IMAP
for this attack vector.
PREAUTH Bypass (NP ) When a server can pre-
authenticate a client, e.g., because it knows that the connection Session Fixation (S) If any session data set in the plaintext
is already tunneled via some secure connection, it can respond phase is retained after the transition to TLS, it may allow
with a PREAUTH greeting. In this case, both the client and the tampering or information disclosure attacks. For example, in
server must skip authentication and proceed as if the client SMTP, an attacker could include an additional recipient in
already logged in. However, STARTTLS is not allowed after the plaintext phase. When that recipient is not discarded at
a login, which prohibits a standard-conforming client from the beginning of a new client session, the email sent by the
issuing the STARTTLS command. client will leak to that injected recipient. This attack works by
dragging and redirecting the client’s TLS handshake through
Redirects IMAP supports two mechanisms to redirect a the attacker’s socket already established with the server. In
client to another server: login referrals [8] and mailbox re- POP3 and IMAP, an attacker can even replace the whole
ferrals [9]. Login referrals can already be sent in the IMAP victim’s mailbox with their own content when the session is
server greeting and bypass STARTTLS security altogether. retained throughout the negotiation of TLS.
Mailbox referrals are sent as an answer to the SELECT com-
mand to redirect a client to a “remote mailbox”. At first glance, 3.4.4 UI Spoofing
mailbox referrals are not useful for an attacker because a
client should not select a mailbox before STARTTLS. How- A descriptive example of an IMAP ALERT is shown in Fig-
ever, mailbox referrals can be combined with other issues to ure 1. Outlook shows a prominent dialog and also places
escalate their overall impact (NR ). IMAP alerts into the inbox. POP3 provides a similar mecha-
nism based on response codes.
Built-in error mechanisms, i.e., those which use the status
of a response and the human-readable text, were covered
by testing all positive and negative responses with a unique
string as human-readable text (UE ). IMAP’s ALERT or POP3’s configuration. In this case, we used port 587 for submission,
SYS/PERM code were covered by extracting all standardized 110 for POP3, and 143 for IMAP.
codes from the relevant standards (UA ). Furthermore, we set up our test clients using virtual ma-
chines (based on QEMU) with automatic snapshot resets be-
tween tests and automatic triggers for mail retrieval/sending.
4 Execution of Test Cases
In this way, EAST supports semi-automatic testing of email
clients.7
4.1 Client Testing
Client Selection We selected email clients from all major 4.2 Server Testing
platforms and used popularity rankings if available. On An-
droid, we queried the Google Play Store for Download counts Scanning We used ZGrab2 [27] to scan the Internet for
on March 25th, 2020, and selected the ten most downloaded IPv4-based mail service providers to identify servers vulner-
email clients. From this list, we excluded Yahoo Mail be- able to the command injection. Because the session fixation
cause it fetches emails only via HTTPS. We included the requires a valid user account per server, we could not scan
Android OpenSource Project Mail App (via LineageOS), usu- for this issue. We followed best practices for internet scan-
ally bundled with custom ROMs. For iOS, we selected apps ning and included servers (and networks) in a blocklist when
that support either IMAP, SMTP, or POP3 from the 200 most their operators requested it. Furthermore, we also published
popular free productivity apps from the iTunes store on July a reverse DNS entry and hosted a webpage with informa-
10th, 2020. Cloud Mail apps were not explicitly selected but tion about the scans. Except for the command injection itself,
are included due to their popularity. For Linux, we visited we did not violate the protocols. We executed a single scan
media sites presenting top lists of Linux clients and excluded per protocol and appended a non-malicious command to the
clients not available via NixOS – a Linux distribution we used STARTTLS command. To minimize false negatives, we sent
for reproducible client installations. We also tried to include an additional command via TLS to complete possibly blocking
popular command-line applications and a (perceived) popular read calls. If we received a response to our injected command,
utility, i.e., OfflineIMAP. On Windows, we only included Mi- we considered the server to be vulnerable. Answering with an
crosoft Outlook 2019 due to its popularity. However, many encrypted response to a plaintext command is always a sign
Linux Clients also work cross-platform on Windows, and we of misbehavior. Thus, this test does not yield false positives.
assume that the results on both platforms are identical.6 Note We employed a basic keyphrase- and protocol-based clus-
that popularity rankings from Google Play and the Apple tering approach to identify specific server software in our
Store use geolocation to target a specific region. Our selection scan results. For this, we identified specific keywords (e.g.,
is thus likely biased towards western culture. the name of the software) and phrases (e.g., a specific help
message) and used them to classify results. Additionally, we
Client Test Execution We developed a custom mail server classified the remaining servers by comparing the protocol
included in the EAST toolkit for client tests, which supports flow exhibited (e.g., response codes in SMTP).
STARTTLS, SMTP, POP3, and IMAP and can be configured
to execute precise message flows. The server can also sim- Server Selection We tested mail servers available freely or
ulate a benign email server to unify the setup of clients and on a trial basis for the command injection vulnerability and
sidestep the setup of a real email environment such as Post- the session fixation. Mainly, we selected these servers based
fix and Dovecot. During the evaluation, we restricted our on a rough identification of popular servers found during our
modifications to those an attacker can perform in reality. For scans (vulnerable and non-vulnerable).
example, we did not modify data that is normally protected
by TLS. This setup turned out to be a very useful abstraction Server Test Execution We developed a tool – part of the
to perform stable MitM attacks against email clients. EAST toolkit – to identify the command injection vulnera-
bility in SMTP, POP3, and IMAP for local server tests. We
Configuration of Email Clients for Testing We config- set up all tested servers in local installations when possible
ured every email client to use the most secure STARTTLS and performed tests against some live installations with the
variant with strict certificate checking. All tests were con- owner’s explicit permission.
ducted after a client’s “setup wizard“ or after manual configu-
ration and an additional restart. We did not change TCP port 5 Client Attacks
numbers manually, except when the client needed manual
All attacks described in this section were conducted end-to-
end. We also show how multiple issues can be combined to
6 Even though the TLS provider might differ, we did not find a plausible
explanation why the STARTTLS implementations should be different. 7 We could not automate testing for Cloud Mail and iOS.
1 S: * OK [CAPABILITY IMAP4REV1 STARTTLS] 1 S: * PREAUTH
2 // ... 2 C: A SELECT INBOX
3 3 // ...
4 C: X APPEND "Sent" (\SEEN) {676} 4 C: X APPEND "Sent" (\SEEN) {676}
5 .. From: ... 5 .. From: ...
6 .. To: ... 6 .. To: ...
7 .. 7 ..
8 .. Hello, ... 8 .. Hello, ...
9 S: X OK 9 S: X OK
Listing 7: Bypassing STARTTLS with a well-known Listing 8: Blocking the STARTTLS transition with a PREAUTH
STARTTLS stripping attack. greeting.
escalate their impact. 1 // 1) The attacker hijacked the connection to example.org ...
2 S: * PREAUTH
3 C: A SELECT Inbox
5.1 Negotiation 4
5
//
S:
... and redirects client to attacker.com.
A NO [REFERRAL IMAP://attacker.com]
6
STARTTLS Stripping (NS ) Typically, when a client is af- 7 // ----------------------------------------------------
fected by classic STARTTLS stripping, user credentials will 8
9 // 2) The client connects to attacker.com ...
be sent via plaintext. However, there are more subtle forms 10 S: * OK
of STARTTLS stripping, where the client does not leak user 11 C: A STARTTLS
12 S: A OK
credentials but uploads drafted and sent emails in plaintext 13 // ------------------ TLS Handshake -------------------
(Listing 7). 14 // ... and discloses the user’s password to the attacker.
15 C: B LOGIN "username" "password"
16 // ...
PREAUTH STARTTLS Blocking (NP ) In Listing 8, an
Listing 9: Bypassing STARTTLS with a PREAUTH greeting
attacker bypassed STARTTLS by sending the PREAUTH com-
and escalation from mailbox tampering to stealing of
mand (line 1). This is easy to see because the client did not
credentials.
terminate the connection but proceeded to SELECT the inbox
(line 2). At this point, an attacker already has full control
over the client and merely needs to mimic a benign IMAP 5.3 UI Spoofing
server to tamper with the client’s mailbox data. If the client IMAP Alerts (UA ) IMAP alerts, as previously described,
synchronizes draft emails and sent emails, sensitive data is are a prime opportunity for UI spoofing. Since they can be sent
leaked (lines 4 to 8). However, because PREAUTH signals to at any point in an IMAP connection, any client that displays
the MUA that it is already authenticated, it does not directly them in the plaintext phase is vulnerable to UI spoofing.
lead to the exposure of user credentials.
Error Messages (UE ) Additionally, all protocols can show
Malicious Redirects (NR ) Mailbox referrals are useful error messages that can be sent in response to any command.
when combined with a PREAUTH greeting. When an attacker If these are displayed in the plaintext phase, UI spoofing is
could bypass STARTTLS security with the PREAUTH greet- also possible.
ing, they can further escalate the issue by answering with a
redirect to the client’s SELECT command (Listing 9, line 5).
This indicates to the client that the selected mailbox is only 5.4 Buffering
available on another server. Because the attacker can also Response Injection (BR ) The response injection’s impact
choose the domain, they can use a server for which they have is limited in SMTP because the exchanged data is short-lived
a valid X.509 certificate. If the client follows this referral, it and neither saved nor displayed to the user. However, POP3
immediately leaks user credentials to the attacker (line 13). and IMAP incorporate session data into local archives, and
the response injection can be used to tamper with local mail
5.2 Tampering archives. The attack is also easy to execute because the se-
quence of commands issued by a client is predictable.8 Fur-
Tampering with the Mailbox (TM ) IMAP’s untagged data thermore, the response injection can again be combined with
responses lead to changes in the mailbox, which can be used referrals to obtain user credentials.
for tampering attacks, e.g., placing new messages or folders
into the user’s mailbox. These changes can even lead to a
permanently corrupted local state.
SMTP
SMTP
SMTP
SMTP
IMAP
IMAP
IMAP
IMAP
POP3
POP3
POP3
POP3
Client
Android (Google Play)
Gmail (8.5.6.199637500) X X NS X X X X X X X X X
Gmail Go (8.5.6.197464524) X X NS X X X X X X X X X
Samsung Email (6.1.12.1) X X NS X X X X X X X X X
K-9 Mail (5.710) X X X X X X X X X #UE X X
LineageOS email (9) X X X X X X X X X X X X
Apple iOS (App Store)
iOS Mail (iOS 13.5.1) X X NP G
#BR G
#BR G
#BR X X X X X X
Gmail (6.0.200614) X ∅ X G
#BR ∅ G
#BR X X X X ∅ X
Edison Mail (1.20.8) X ∅ TLS G
#BR ∅ TLS X X TLS X ∅ TLS
Windows
Outlook (16.0.13001.20338) X TLS X X TLS #BR X TLS X #UE TLS #UA ,UE
Apple macOS
Mail (3608.80.23.2.2) X X X G
#BR G
#BR G
#BR X X X X X X
Linux (tested on NixOS)
Balsa (2.5.9-1) X X #C 1 X X X X X #C X #UE #UA
Evolution (3.34.4) X X X G
#BR G
#BR X X X G
#TM X X #UA
Geary (3.34.2) X ∅ X X ∅ X X ∅ X X ∅ X
KMail (19.12.3) NS
2 X X G
#BR G
#BR X X X X X X X
Cross-platform (tested on NixOS)
Thunderbird (68.7.0) X #NS 1 NP X X G
#BR X X G
#TM X X #UA
Trojita (0.7.20190618) X ∅ X X ∅ G
#BR X ∅ G
#TM X X #UA
Claws (3.17.4) X X X G
#BR G
#BR G
#BR X X X X X #UA
Sylpheed (3.7.0) X X NS G
#BR G
#BR X X X X X X #UA
Alpine (2.21) X X NP ,NR X X X X X G
#TM ,C X #UE #UA
Mutt (1.13.3) X X NP G
#BR G
#BR G
#BR X X X X #UE X
NeoMutt (20200417) X X NP G
#BR G
#BR G
#BR X X X X #UE X
OfflineIMAP (7.3.2) ∅ ∅ NS
3 ∅ ∅ X ∅ ∅ X ∅ ∅ X
Cloud Mail (Android & iOS)
Outlook X TLS X X TLS X X X X X TLS X
Yandex.Mail X ∅ X G
#BR ∅ G
#BR X X X X ∅ TLS
GMX Mail Collector ∅ NS NS ∅ X X X X X X X X
Mail.ru NS ∅ TLS G
#BR ∅ TLS X X X X ∅ TLS
myMail NS ∅ TLS G
#BR ∅ TLS X X X X ∅ TLS
Email App for Gmail NS ∅ TLS G
#BR ∅ TLS X X X X ∅ TLS
Table 1: Results of our STARTTLS tests against 28 email clients. We treated the backend of Cloud Mail apps as a single client,
because the results were the same on every platform and we concluded that the backend is independent of the mobile app.
6 cloud mail apps were affected by STARTTLS stripping (NS ). Command Session
However, due to the very similar testing outcomes, we assume Injection Fixation
that Mail.ru, myMail, and Email App for Gmail use the same
SMTP
SMTP
IMAP
IMAP
POP3
POP3
code base. KMail only allowed STARTTLS stripping when
no user authentication for SMTP is configured. We could not Product
determine if Sylpheed is meant to be opportunistic because Citadel (929) #
G
we did not receive an answer to our bug report. OfflineIMAP Courier (1.0.14) X G
# X G
# X
states in its documentation that “No verification [of certifi- Exchange (2016) X X X X X X
cates] happens if connecting via STARTTLS” [1]. Thus, we Gordano GMS12 (20.06) X – – –
assume it was opportunistic by intent. IceWarp (Deep Castle 2) X X X G
# X X
Evolution, Thunderbird, Trojitá, and Alpine accepted IPswitch IMail (12.5.8) G
# X X G
#
IMAP’s untagged responses and incorporated them into the Kerio Connect (9.2.12) G
# X X X X X
MailEnable (10.30) X X X G
# X X
local state even without STARTTLS. Furthermore, Alpine
MailMarshal13 (10.0.1.203) G
# X X X X X
crashed due to two specific untagged responses (LIST and
MDaemon (20.0.3) X X X G
# G
# X
EXISTS). In Alpine, we could also combine PREAUTH and SmarterMail (100.0.7503) X X X X X
mailbox referrals to steal user credentials too. Zimbra (8.8.15) X G
# G
# X G
# X
The response injection vulnerability (BR ) was present in 17 Exim (4.94#2) X ∅ ∅ X ∅ ∅
of 28 clients in at least one protocol. The implementation of netqmail (1.0614 ) G
# ∅ ∅ G
# ∅ ∅
STARTTLS seems to differ between protocols in Evolution, Postfix (3.5.4) G
# ∅ ∅ X ∅ ∅
Sylpheed, Thunderbird, and Outlook, making them vulnera- Qmail Toaster (1.4.1) ∅ ∅ – ∅ ∅
ble in only a single protocol. For the remaining vulnerable Qmail Toaster (1.03-3.3.1) X ∅ ∅ X ∅ ∅
clients, it was a generic issue. According to the website of the Sendmail (8.16.1) X ∅ ∅ – ∅ ∅
LibEtPan [3] mail framework, it is used in almost all email spamdyke (5.0.1) G
# ∅ ∅ X ∅ ∅
apps on iOS and Mac. Because our measurement showed that s/qmail (4.0.7) ∅ ∅ X ∅ ∅
Cyrus IMAP (3.2.2) ∅ G
# G
# ∅ G
# X
all Apple clients are affected by that bug, we find it likely that
Dovecot (2.3.10.1) X X ∅ G
# X
this is due to this library, and multiple more clients on these Mercury/32 (4.80.149) ∅ G
# X
platforms could be affected.
the MAIL TO address. 15 Victor Duchovni made a similar observation in 2011 [33].
Protocol (Port) Scanned Vulnerable Ratio 8 Mitigation
SMTP (25) 5, 521, 868 97, 697 1.8%
Mail clients should make implicit TLS the default, and users
SMTP (587) 4, 200, 995 58, 793 1.4%
who can either use STARTTLS or implicit TLS should use
SMTP (per IPv4) 7.278, 279 111, 599 1.5% the latter. Mail service providers should always offer implicit
POP3 (110) 4, 285, 730 110, 882 2.6% TLS and evaluate, as a long-term measure, strategies to disable
IMAP (143) 4, 165, 826 98.773 2.4% STARTTLS. While we believe that this is the best way for-
Total 15, 729, 835 321, 254 2.0% ward, we recognize that security mitigations are still required.
Most notably, STARTTLS is currently the only standardized
Table 3: Results of our scan for the command injection vulner- option for encryption in message relaying. Even though relay-
ability. We report the results for SMTP per port and grouped ing is still opportunistic, DANE [5] and MTA-STS [22] try
by IP address to prevent counting the same server twice. to rectify that, and flaws in STARTTLS must not undermine
this effort.
environment due to its age, increasing the share of old and Isolating the Plaintext Phase Due to the many places
unmaintained servers. In general, the number of vulnerable where plaintext data might potentially be processed or
servers is surprisingly high, considering that the command buffered, it might be easier to introduce a separate STARTTLS
injection in SMTP was first published in 2011 [33]. To get routine, with the single goal to transition a given socket to
more insights into the results, we performed a keyword-based the point where the TLS handshake would start. This rou-
clustering of the vulnerable servers (Table 4). tine would have a stack-allocated local protocol buffer and no
The largest fraction of vulnerable IMAP servers is Courier other application state (except the socket). All other routines
servers. Since we found a bug report for this from 2013 [13], would work as if implicit TLS was used. Due to this strict
we assume that these are mainly old versions. Sadly we could separation, implementors may wonder about the interaction
not get a detailed overview of Courier versions newer than of pipelining and STARTTLS. However, the standards explic-
2011 since the copyright notice seems to have been updated itly state that further commands before the transition are not
inconsistently. However, we also identified many smaller clus- allowed. Additionally, since the client needs to wait for the
ters of vulnerable servers and retested them locally (Table 2). server’s acknowledgment of the STARTTLS command, the
For SMTP, most vulnerable servers were derivatives of qmail. CLIENT_HELLO should not be pipelined. The same is true for
While netqmail is easily distinguishable from standard qmail, the SERVER_HELLO due to the TLS protocol flow.
other derivatives are not.
Additionally, we identified a large cluster (more than 10, 000
Fixing Buffering Issues Server and client implementations
servers) of Postfix installations. Assuming that this bug was
must not interpret content sent in plain text as part of an en-
fixed in 2011 in both netqmail and Postfix, we concluded that
crypted connection. If the plaintext phase can not be isolated
this must be either a broad set of old setups or these servers
such that a separate buffer is used, the read buffer should be
are behind vulnerable mail gateways, which we could not
cleared when initiating the TLS handshake after a STARTTLS
identify. Another large cluster of vulnerable SMTP servers
command. Alternatively, the additional content can be inter-
(more than 30, 000) were recvmail servers. We identified that
preted as a part of the TLS handshake (which will lead to a
this is a custom SMTP server used by the Internet backbone
termination of the handshake). A third alternative is to pre-
provider Hurricane electric. CoreMail servers showed up as
cautionary clear the application buffer (and all other buffers)
vulnerable in all protocols. This is notable because CoreMail
after the TLS handshake.
claims to have more than 1 billion users, providing cloud
services, an Anti-Spam solution, and mail servers.
To estimate these vulnerabilities’ real-world impact, we Streamlining Negotiation Our analysis shows that if an
cross-reference our results with the Tranco Top Million SMTP or POP3 client never issues a command asking for
list [21].16 We found that 3.3% of the MX servers of these information, an attacker is unlikely to change any client state
websites are vulnerable to the command injection in SMTP – because the response will not even be parsed correctly. More
a percentage that is more than twice as high as on the Internet. specifically, when a client never asks for a server’s capabilities,
We also specifically looked at the most used MX servers of the an attacker is unlikely to execute STARTTLS stripping attacks.
top websites. One mail provider – Yandex, which is used for Therefore, the negotiation process should be streamlined such
the MX of around 2 percent of the one million most popular that a client issues the STARTTLS command as the first and
websites – was vulnerable to the command injection. only command. This can be done in a standard-conforming
way for POP3 and IMAP. In SMTP, the EHLO command should
be the first issued command as some servers require it. Here,
EHLO could still be sent, but the answer should be discarded.
16 https://tranco-list.eu/list/8KKV
IMAP POP3 SMTP (25) SMTP (587)
Server Ratio Server Ratio Server Ratio Server Ratio
Courier (≤ 2011) 84.00% Courier 82.79% netqmail 25.04% Recvmail 28.71%
Courier (> 2011) 3.53% SmarterMail 5.36% qmail 21.12% qmail 24.66%
Coremail (unknown) 2.12% Coremail 2.32% Recvmail 17.00% netqmail 23.81%
Mdaemon (≤ 13.0.3) 1.10% Zimbra 1.71% Postfix 11.67% Postfix 6.94%
Cyrus (≤ 2.4.17) 1.08% IceWarp/Merak 1.12% Coremail 2.41% Kerio Connect 2.48%
Kerio Connect (< 7.1.4) 1.00% Kerio Connect 2.20% Exim 2.41%
Exim 1.27%
IceWarp/Merak 1.24%
Unidentified 1.68% Unidentified 2.98% Unidentified 10.78% Unidentified 6.25%
Various 5.49% Various 3.72% Various 7.27% Various 4.74%
Table 4: Rough clustering of vulnerable servers during scans, by protocol. IMAP Server versions are a best-effort deduction from
greetings and information sent during scans. Servers grouped under various were present less than one percent each.
Six of the tested clients already behave this way, suggesting 10 Discussion
that this behavior does not lead to incompatibilities in the
wild. The analysis shows that IMAP is particularly affected by
STARTTLS vulnerabilities, and there are two main reasons for
that. IMAP’s communication model (untagged responses) and
9 Related Work unified parsing allow attackers to send unsolicited responses
at any time, and the client is likely to accept it. This is different
Even though STARTTLS adds attack surface to the TLS
in SMTP and POP3 because the client only accepts a limited
protocol usage, it is by no means protected against known
set of responses according to the commands it sent.
attacks against TLS. While significant academic research on
Furthermore, the extensive functionality and large number
TLS exists, surprisingly little has been written on STARTTLS.
of IMAP extensions make it more likely that some of them
In 2015, Durumeric et al. [6] published a report on the
conflict with the requirements of STARTTLS. The PREAUTH
global adoption rate of SMTP security, including STARTTLS,
greeting and login referrals are good examples. Those clients
SPF, DKIM, and DMARC. The report is based on scans of the
not affected by this issue closed the connection directly or,
SMTP server configuration of the Alex Top Million domains
in violation of the protocol, still issued the STARTTLS com-
and data on Gmail’s SMTP connections over a year. They
mand. Surprisingly, this makes clients striving for protocol
found that only a little over half of the scanned SMTP servers
correctness more likely to be affected by the PREAUTH issue.
could successfully perform a STARTTLS handshake and that
Even though the login referrals extension predates the intro-
more than 426 Autonomous Systems performed STARTTLS
duction of STARTTLS, its potential to bypass the security
stripping on customers’ connections. This highlights inher-
of STARTTLS is not documented. Fortunately, only a few
ent problems with the use of STARTTLS in MTA-to-MTA
clients support login referrals, but for example, Thunderbird
connections. However, Durumeric et al. do not focus on the
has an open feature request for login referrals from 200417 .
usage of STARTTLS in MUA-to-MSA connections.
Each of the several dozen IMAP extensions has the potential
Holz et al. [15] conducted active scans and passive monitor-
to add a STARTTLS bypass. In order to combine STARTTLS
ing to learn which authentication mechanisms, X.509 certifi-
and IMAP, it would be necessary to analyze each extension. A
cates, and TLS cipher suites are advertised and used by clients
more comfortable and safer approach would be to discourage
and servers for electronic communication. Specifically, they
STARTTLS support for IMAP.
reported that many clients and servers fall back to unencrypted
We believe that the large number of servers and clients
connections should STARTTLS not be available.
affected by the buffering vulnerabilities arises from any naïve
In 2016, Mayer et al. [23] published data on their IPv4-
implementation of STARTTLS. Preventing the vulnerability
wide scans of email ports, focusing on the security of the
requires additional code to clear the receive buffer explicitly
negotiated TLS connection – i.e., supported cipher suites,
after the transition to STARTTLS. While the command injec-
cryptographic primitives, key exchange parameters, and TLS
tion was first described in 2011, the response injection was
certificates – as well as the support for plaintext authenti-
unknown. We assume that this vulnerability did not get the
cation – i.e., the availability of STARTTLS and the AUTH
deserved attention due to missing practical attack scenarios.
PLAIN and LOGINDISABLED capabilities. They found that
Our experiences in disclosure support this: although some
a sizable number of email servers did not correctly enforce
non-plaintext authentication for MUAs. 17 https://bugzilla.mozilla.org/show_bug.cgi?id=59704
developers knew of this vulnerability, they assumed it to be We discovered several flaws in major email client and
relatively low impact or non-exploitable. When presented server implementations. Both the PREAUTH and the client
with a functional exploit, most fixed the vulnerability swiftly. response injection affected Mozilla Thunderbird and Apple
We also like to point out that STARTTLS makes benign Mail. The STARTTLS stripping flaw was present in several
issues more critical. Although accepting IMAP responses major clients, including the Gmail Android app. The com-
in not well-defined states hints to implementation problems, mand injection, know since 2011, was possible on large mail
they are not critical for security during a benign session with servers by major mail providers like Yandex and GMX. Our
a server. Similarly, even though memory corruption issues scans reveal that of all publicly available SMTP, POP3, and
may crash a client, they are unlikely to be sent with malicious IMAP servers, 320, 000 are vulnerable to command injection
intent by a benign server. STARTTLS makes both of these attacks. Out of 22 tested email servers, 15 are vulnerable to
issues critical for security, and implicit TLS mitigates them the command injection or had this vulnerability in the past.
in our attacker scenario. In summary, we conclude that STARTTLS has systemic
Our investigation primarily focused on the security proper- problems that lead to implementation flaws, that STARTTLS
ties of STARTTLS. However, it is evident that STARTTLS is insufficiently specified, that STARTTLS has no security
also has performance implications because transitioning from advantage over implicit TLS connections, and is slower than
STARTTLS to implicit TLS removes two round trips from implicit TLS due to additional round trips. Therefore, we
any new connection. There has been considerable effort to recommend using implicit TLS and deactivate STARTTLS
reduce the round trips in TLS connections during the stan- for email submission and retrieval whenever feasible.
dardization of TLS 1.3. Therefore, we find it noteworthy to
consider the performance impact STARTTLS implies. Acknowledgments The authors thank Marcus Brinkmann
During disclosure, we experienced that some client ven- for his tireless support, feedback, and editing towards the sub-
dors were struggling to reproduce findings. For the more mission of this paper. Additionally, we thank the German
complex cases, i.e., the response injection, we provided our BSI CERT for assistance in international disclosure. We also
server code and received very positive responses. Given that thank our shepherd Ben Stock for his exceptional support for
simple test cases could have uncovered many issues, we cer- this paper. Fabian Ising was supported by a graduate schol-
tainly think there is a demand for robust email security tooling. arship of Münster University of Applied Sciences and the
Our approach to focus on easy-to-setup network-only tests research project “MITSicherheit.NRW” funded by the Euro-
may further contribute to the execution of more such tests. pean Regional Development Fund North Rhine-Westphalia
(EFRE.NRW).
11 Conclusion
References
We performed the first systematic, thorough analysis of
STARTTLS implementation vulnerabilities. In 2011 it was [1] Multiple Contributors. Does offlineimap verify
first shown that Postfix was vulnerable to a STARTTLS buffer- ssl certificates? http://www.offlineimap.org/
ing bug that allowed command injection. Subsequently, the doc/FAQ.html#does-offlineimap-verify-ssl-
same type of bug was found in various mail servers and other certificates, June 2017.
server software. Our research shows that even though this bug
has been known for a decade, it is still widely prevalent in [2] M. Crispin. Internet message access protocol - version
email servers. It also shows that a novel adaption of this bug 4rev1, March 2003. RFC3501.
type is present in many email client applications.
[3] Hoà V. Dinh. Libetpan. https://www.etpan.org/
Our research also shows that inconsistencies in the stan-
libetpan.html. Accessed: 2020-10-10.
dard and incompatibilities between certain IMAP features,
particularly PREAUTH, unsolicited responses, and referrals, [4] Dirk Wetter. testssl.sh. https://testssl.sh.
allow further attacks. The interaction of STARTTLS and any Accessed: 2021-02-04.
new (and existing) features must be carefully evaluated to
ensure that STARTTLS bypasses will not appear. [5] V. Dukhovni and W. Hardaker. The dns-based authenti-
The STARTTLS vulnerabilities can be used for critical at- cation of named entities (dane) protocol: Updates and
tacks such as credential stealing that allow attackers to take operational guidance, October 2015. RFC7671.
control over the victim’s mailbox. We showed how server-side
[6] Zakir Durumeric, David Adrian, Ariana Mirian, James
command injection flaws can be used to steal credentials in
Kasten, Elie Bursztein, Nicolas Lidzborski, Kurt
SMTP and IMAP connections using STARTTLS. A combi-
Thomas, Vijay Eranti, Michael Bailey, and J Alex Hal-
nation of the PREAUTH functionality and referrals in clients
derman. Neither snow nor rain nor mitm... an empirical
can also be used for credential stealing.
analysis of email delivery security. In Proceedings of the
2015 Internet Measurement Conference, pages 27–39, [20] J. Klensin. Simple mail transfer protocol, October 2008.
2015. RFC5321.
[7] N. Freed. Smtp service extension for command pipelin- [21] Victor Le Pochat, Tom Van Goethem, Samaneh Tajal-
ing, September 2000. RFC2920. izadehkhoob, Maciej Korczyński, and Wouter Joosen.
Tranco: A research-oriented top sites ranking hardened
[8] M. Gahrns. Imap4 login referrals, October 1997. against manipulation. In Proceedings of the 26th Annual
RFC2221. Network and Distributed System Security Symposium,
[9] M. Gahrns. Imap4 mailbox referrals, September 1997. NDSS 2019, February 2019.
RFC2193. [22] D. Margolis, M. Risher, B. Ramakrishnan, A. Brotman,
[10] R. Gellens and J. Klensin. Message submission, Decem- and J. Jones. Smtp mta strict transport security (mta-sts),
ber 1998. RFC2476. September 2018. RFC8461.
[11] R. Gellens and J. Klensin. Message submission for mail, [23] W. Mayer, A. Zauner, M. Schmiedecker, and M. Huber.
November 2011. RFC6409. No need for black chambers: Testing tls in the e-mail
ecosystem at large. In 2016 11th International Confer-
[12] R. Gellens, C. Newman, and L. Lundblade. Pop3 exten- ence on Availability, Reliability and Security (ARES),
sion mechanism, November 1998. RFC2449. pages 10–20, 2016.
[13] Fernando Gozalo. Ubuntu bugs: pop3 [24] A. Melnikov and B. Leiba. Internet Message Access Pro-
and imap tls plaintext command injection. tocol (IMAP) - Version 4rev2. https://tools.ietf.
https://sourceforge.net/p/courier/mailman/ org/html/draft-ietf-extra-imap4rev2-25, Jan-
courier-imap/thread/525D3389.4080507%40csi. uary 2021. draft-ietf-extra-imap4rev2-25.
uned.es/#msg31522221, October 2013.
[25] K. Moore and C. Newman. Cleartext considered ob-
[14] P. Hoffman. Smtp service extension for secure smtp solete: Use of transport layer security (tls) for email
over transport layer security, February 2002. RFC3207. submission and access, January 2018. RFC8314.
[15] Ralph Holz, Johanna Amann, Olivier Mehani, Mo- [26] Multiple Contributors. TLS-Scanner. https:
hamed Ali Kâafar, and Matthias Wachs. TLS in the wild: //github.com/RUB-NDS/TLS-Scanner. Accessed:
An internet-wide analysis of tls-based protocols for elec- 2020-06-01.
tronic communication. In 23rd Annual Network and
Distributed System Security Symposium, NDSS 2016, [27] Multiple Contributors. ZGrab 2.0 – Fast Go Appli-
San Diego, California, USA, February 21-24, 2016. The cation Scanner. https://github.com/zmap/zgrab2.
Internet Society, 2016. Accessed: 2020-05-10.
[16] Internet Assigned Numbers Authority (IANA). Post [28] J. Myers and M. Rose. Post office protocol - version 3,
Office Protocol version 3 (POP3) Extension Mechanism. May 1996. RFC1939.
https://www.iana.org/assignments/pop3-
[29] C. Newman. Using tls with imap, pop3 and acap, June
extension-mechanism/pop3-extension-
1999. RFC2595.
mechanism.xhtml, March 2013.
[17] Internet Assigned Numbers Authority (IANA). Internet [30] Marsh Ray and Steve Dispensa. Renegotiating
Message Access Protocol (IMAP) Capabilities Reg- tls. https://kryptera.se/Renegotiating%20TLS.
istry. https://www.iana.org/assignments/imap- pdf, November 2009.
capabilities/imap-capabilities.xhtml, June [31] J.K. Reynolds. Post office protocol, October 1984.
2020. RFC0918.
[18] Internet Assigned Numbers Authority (IANA). MAIL [32] Y. Sheffer, R. Holz, and P. Saint-Andre. Summarizing
Parameters. https://www.iana.org/assignments/ known attacks on transport layer security (tls) and data-
mail-parameters/mail-parameters.txt, February gram tls (dtls), February 2015. RFC7457.
2020.
[33] Wietse Venema. Plaintext command injection in
[19] Jan Kundrát. Trojita 0.4.1, a security update for multiple implementations of STARTTLS (CVE-2011-
CVE-2014-2567. http://jkt.flaska.net/blog/ 0411). http://www.postfix.org/CVE-2011-0411.
Trojita_0_4_1__a_security_update_for_CVE_ html, March 2011. Accessed: 2020-06-01.
2014_2567.html, March 2014.
A Additional Findings TLS. Thus, our assumption that certificate checking is less
strict when STARTTLS is used does not hold.
A.1 Tampering and Sanitization Issues
Client SMTP POP3 IMAP
Android (Google Play)
1 S: * OK
2 .. * LIST () "/" "Click me! <Payload>" Gmail (8.5.6.199637500) X X X
3 C: A STARTTLS Gmail Go (8.5.6.197464524) X X X
4 // ... Samsung Email (6.1.12.1) X X X
K-9 Mail (5.710) X X X
LineageOS email (9) X X X
Apple iOS (App Store)
iOS Mail (iOS 13.5.1) X X X
Gmail (6.0.200614) X ∅ X
Edison Mail (1.20.8) X ∅ TLS