========================================================================
CVE-2020-MAUTH -- New-line injection into spool header file (remote)
========================================================================

An authenticated SMTP client can add an AUTH= parameter to the MAIL FROM
command. This AUTH= parameter is decoded by auth_xtextdecode():

4697           case ENV_MAIL_OPT_AUTH:
4698             if (Ustrcmp(value, "<>") != 0)
....
4703               if (auth_xtextdecode(value, &authenticated_sender) < 0)

and the resulting authenticated_sender is written to the spool header
file without encoding or escaping:

212 if (authenticated_sender)
213   fprintf(fp, "-auth_sender %s\n", authenticated_sender);

Unfortunately, authenticated_sender can contain arbitrary characters,
because auth_xtextdecode() translates hexadecimal +XY sequences into
equivalent characters (for example, +0A into '\n'): an authenticated
remote attacker can inject new lines into the spool header file and
execute arbitrary commands, as root.

AUTH PLAIN AHVzZXJuYW1lAG15c2VjcmV0
235 Authentication succeeded
MAIL FROM:<> AUTH=hello+0Aworld
250 OK
RCPT TO:postmaster
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself

This vulnerability is particularly problematic for Internet service
providers and mail providers that deploy Exim and offer mail accounts
but not shell accounts. It is also problematic when combined with an
authentication bypass such as CVE-2020-12783, discovered by Orange Tsai
in May 2020 (https://bugs.exim.org/show_bug.cgi?id=2571).

Our exploit for CVE-2020-MAUTH is essentially the same as our exploit
for CVE-2020-NLEND. The main difference is that Exim's ACLs limit the
length of our header lines to 998 characters. However, this limit can be
easily bypassed, by splitting long header lines into 990-character lines
separated by "\n " (i.e., continuation lines).

We can also transform CVE-2020-MAUTH into an information disclosure:

- First, we inject an arbitrary recipient line into the spool header
  file: an arbitrary recipient address (for example, attacker@fake.com)
  and an errors_to string that is read out-of-bounds (the same technique
  as for CVE-2020-NLEND).

- Next, we wait for Exim to connect to our own mail server, fake.com's
  MX (we use https://github.com/iphelix/dnschef to set up a quick and
  easy DNS server).

- Last, we retrieve the out-of-bounds errors_to string from Exim's MAIL
  FROM command (which, in this example, contains a fragment of
  /etc/passwd):

