Mailsploit: It's 2017, and you can spoof the 'from' in email to fool filters

Message client vendors have had 25 years to get RFC 1342 right

Penetration tester Sabri Haddouche has reintroduced the world to email source spoofing, bypassing spam filters and protections like Domain-based Message Authentication, Reporting and Conformance (DMARC), thereby posing a risk to anyone running a vulnerable and unpatched mail client.

What he's found is that more than 30 mail clients including Apple Mail, Thunderbird, various Windows clients, Yahoo! Mail, ProtonMail and more bungled their implementation of an ancient RFC, letting an attacker trick the software into displaying a spoofed from field, even though what the server sees is the real sender.

That means if the server is configured to use DMARC, Sender Policy Framework(SPF) or Domain Keys Identified Mail (DKIM), it will treat a message as legit, even if it should be spam-binned.

The RFC in question is RFC 1342, “Representation of Non-ASCII Text in Internet Message Headers”, and the implementation error Haddouche found was that mail clients and Web mail interfaces don't properly sanitise a non-ASCII string after they decode it.

The embedding, Haddouche wrote, can use either =?utf-8?b?[BASE-64]?= or =?utf-8?Q?[QUOTED-PRINTABLE]?= for the embedding.

Taking Apple Mail as the example, Haddouche wrote that if it's fed the following - From: =?utf-8?b?${base64_encode('')}?==?utf-8?Q?=00?==?utf-8?b?${base64_encode('(')}? - there are two security issues, namely:

  • iOS has a null-byte injection bug, so it ignores everything after that byte and shows as the sender;
  • MacOS macOS ignores the null-byte but will stop after the first valid email it sees (due to a bug in the parser).

He dubbed the bug “Mailsploit”, and provided a full list of vulnerable clients here.

As readers will see scanning the list of mail apps, Mailsploit has another nasty side: some trouble ticketing systems (Supportsystem, osTicket and Intercom) are also subject to the bug; and in many mailers, the bug can also be exploited for cross-site scripting and code injection attacks.

Most of the vendors Haddouche contacted have either patched or at least got to work on a patch, but Mozilla and Opera reckon it's a server-side issue, and Mailbird “closed the ticket without responding”. ®

Keep Reading

Kick Google all you like, Mozilla tells US government, so long as we keep getting our Google-bucks

In case you've forgotten: Google sends Mozilla about $400m a year

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Chocolate Factory spills beans early on privilege-escalation flaw

Mozilla signs fresh Google search deal worth mega-millions as 25% staff cut hits Servo, MDN, security teams

Updated $2.5m-a-year CEO set to take a pay cut, so that's all right, then

Now-patched Ubuntu desktop vulnerability allows privilege escalation

'Unusual for a vulnerability on a modern operating system to be this easy to exploit,' says bughunter

Mozilla's MDN web standards reference platform makes move to GitHub, now in beta

Jamstack, Kubernetes, community contributions, and automatic translation – what could go wrong?

At Mozilla VPN stands for Vague Product News: Foundation reveals security product will launch eventually, with temporary pricing, in unspecified places

But it does have a name. 'Firefox Private Network' is out, ‘Mozilla VPN’ is in.

Mozilla says India's planned data harvest law is 'blunt' and should be caste aside

Warns that plan could lead to 'dangerous inferences' about user identity, suggests GDPR is a better model

Biting the hand that feeds IT © 1998–2020