430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

MailSploit vulnerabilities allow email spoofing with more than 30 email clients

A security researcher discovered a collection of vulnerabilities dubbed MailSploit affecting more than 30 popular email client software. Email spoofing is quite simple and it is an important activity in any phishing/spear phishing attack. Attackers modify email headers and send an email with the forged sender address to trick recipients into opening the message believing they […]

MailSploit vulnerabilities allow email spoofing with more than 30 email clients

A security researcher discovered a collection of vulnerabilities dubbed MailSploit affecting more than 30 popular email client software.

Email spoofing is quite simple and it is an important activity in any phishing/spear phishing attack.

Attackers modify email headers and send an email with the forged sender address to trick recipients into opening the message believing they are receiving it from a trusted source.

The security researcher Sabri Haddouche has discovered a collection of vulnerabilities affecting more than 30 popular email client software that could be exploited by an attacker to send spoofed messages bypassing anti-spoofing systems.

The collection of flaws discovered by Haddouche was dubbed MailSploit, the list of vulnerable clients includes Apple Mail (macOS, iOS, and watchOS), Mozilla Thunderbird, several Microsoft email clients, Yahoo Mail, ProtonMail, and others.

It is curious to highlight that almost any affected email client has implemented anti-spoofing mechanisms, such as DKIM and DMARC.
MailSploit flaws affect the way email clients and web interfaces parse “From” header.

The expert set up a dedicated website that contains details about the set vulnerabilities.

“Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.” reads the website.

“Bugs were found in over 30 applications, including prominent ones like Apple Mail (macOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.”

Haddouche explained that flaws result from the lack of input sanitization by flawed email clients, they are not related to vulnerabilities in DMARC mechanisms.

The researcher published a PoC, he used the email of the US President potus@whitehouse.gov, he explained that all headers must only contain ASCII characters, including the “From” header.

“The trick resides in using RFC-1342 (from 1992!), a recommendation that provides a way to encode non-ASCII chars inside email headers in a such way that it won’t confuse the MTAs processing the email.” continues the expert.

“Unfortunately, most email clients and web interfaces don’t properly sanitize the string after decoding which leads to this email spoofing attack.”

Haddouche created a payload by encoding non-ASCII characters inside the email headers, with this trick he was able to send a spoofed email from an official address belonging to President of the United States.

“Using a combination of control characters such as new lines or null-byte, it can result in hiding or removing the domain part of the original email,” explained Haddouche.

mailsploit PoC
Below a video PoC of the attack published by the expert.

Haddouche also discovered that some of the email clients, including Hushmail, Open Mailbox, Spark, and Airmail, are affected by cross-site scripting (XSS) vulnerabilities.

The researcher reported the MailSploit flaw to 33 different client applications, in 8 cases development teams have already patched the issues before the public disclosure and 12 are currently working on patches.

It is important to highlight that Mozilla and Opera will not release any fix because classified the MailSploit as a server-side issue.

“All vendors were contacted at least 3 months prior to the publication, some of them even 4 or 5 months before the publication.” concluded the expert.

“The spoofing bug was found and confirmed in 33 different products. As of Dec 5th 2017, it was fixed in 8 products (~ 24%) and triaged for 12 additional products (~ 36%). Two vendors (Mozilla and Opera) said they won’t fix the bug (they consider it to be a server-side problem) and another one (Mailbird) closed the ticket without responding.

As for the remaining 12 products (~ 36%), the vendors have received the bug report but have not commented on whether they will address it.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MailSploit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]