Email source spoofing, bypassing spam filters and protections, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), have been represented by the penetration tester Sabri Haddouche, posing a risk to users who run a vulnerable and unpatched mail client.
The tester found that more than 30 mail clients including Thunderbird, Apple Mail, various Windows clients, Yahoo! Mail, ProtonMail and others, bungled their implementation of an ancient RFC, allowing hackers to trick the software into displaying a spoofed from field, despite the fact that the server sees the real sender.
In other words, in case the server is configured to use DMARC, Sender Policy Framework(SPF) or Domain Keys Identified Mail (DKIM), it will treat a message as legit, even if it should be spam-binned.
On the other hand, the RFC is RFC 1342, “Representation of Non-ASCII Text in Internet Message Headers”, and what Haddouche found is the implementation error which mail clients and Web mail interfaces don’t properly sanitise a non-ASCII string after decoding it.
According to Haddouche, the embedding can use either =?utf-8?b?[BASE-64]?= or =?utf-8?Q?[QUOTED-PRINTABLE]?= for the embedding.
For instance, Apple Mail is fed the following:
From: =?utf-8?b?${base64_encode(‘potus@whitehouse.gov’)}?==?utf-8?Q?=00?==?utf-8?b?${base64_encode(‘(potus@whitehouse.gov)’)}?=@mailsploit.com.
The two security issues here are:
- iOS has a null-byte injection bug, so it ignores everything after that byte and shows potus@whitehouse.gov as the sender;
- MacOS macOS ignores the null-byte but will stop after the first valid email it sees (due to a bug in the parser).
Sabri Haddouche called the bug “Mailsploit”, and provided a full list of vulnerable clients.
Mailsploit has another deficiency – some trouble ticketing systems (Supportsystem, osTicket and Intercom) are also subject to the bug. Besides, in many mailers, the bug can also be exploited for cross-site scripting and code injection attacks.
The vendors who Haddouche contacted have either patched or got to work on a patch, although Mozilla and Opera could be a server-side issue, and Mailbird “closed the ticket without responding”.
