Penetration tester Sabri Haddouche has reintroduced the world to email source spoofing, bypassing spam filters and protections like Domain-based Message Authentication, Reporting and Conformance (DMARC), thereby posing a risk to anyone running a vulnerable and unpatched mail client.
What he’s found is that more than 30 mail clients including Apple Mail, Thunderbird, various Windows clients, Yahoo! Mail, ProtonMail and more bungled their implementation of an ancient RFC, letting an attacker trick the software into displaying a spoofed from field, even though what the server sees is the real sender.
That means if the server is configured to use DMARC, Sender Policy Framework(SPF) or Domain Keys Identified Mail (DKIM), it will treat a message as legit, even if it should be spam-binned.
The RFC in question is RFC 1342, “Representation of Non-ASCII Text in Internet Message Headers”, and the implementation error Haddouche found was that mail clients and Web mail interfaces don’t properly sanitise a non-ASCII string after they decode it.
The embedding, Haddouche wrote, can use either =?utf-8?b?[BASE-64]?= or =?utf-8?Q?[QUOTED-PRINTABLE]?= for the embedding.
Taking Apple Mail as the example, Haddouche wrote that if it’s fed the following – From: =?utf-8?b?${base64_encode(‘potus@whitehouse.gov’)}?==?utf-8?Q?=00?==?utf-8?b?${base64_encode(‘(potus@whitehouse.gov)’)}?=@mailsploit.com – there are two security issues, namely:
iOS has a null-byte injection bug, so it ignores everything after that byte and shows potus@whitehouse.gov as the sender;
MacOS macOS ignores the null-byte but will stop after the first valid email it sees (due to a bug in the parser).
He dubbed the bug “Mailsploit”, and provided a full list of vulnerable clients here.
As readers will see scanning the list of mail apps, Mailsploit has another nasty side: some trouble ticketing systems (Supportsystem, osTicket and Intercom) are also subject to the bug; and in many mailers, the bug can also be exploited for cross-site scripting and code injection attacks.
在信息化建设过程以及安全意识培训中,IT管理者必须在员工之间的联络中扮演重要的角色。
兴业太阳能申请2.6亿美元优先票据在港交所上市
Most of the vendors Haddouche contacted have either patched or at least got to work on a patch, but Mozilla and Opera reckon it’s a server-side issue, and Mailbird “closed the ticket without responding”. ®

人们薄弱的安全意识往是信息安全的最大隐患,而且这项关于“人员”的弱点不像其它技术漏洞那样容易得到修复。所以,普及互联网安全知识教育是项长期而艰巨的任务!

猜您喜欢

透析俄信息安全战略:追求主权原则为核心的信息安全
人人需知的环境保护管理体系基础知识
Security-Frontline-安全前线
马云接受美媒采访:中国没有夺走美国人的工作机会
POSUDAMOSKVA CISCOFISHINGSYSTEMSLTD
盒装的“信息安全意识培训系统”上市