- Jul 22, 2014
- 2,525
German security researcher Sabri Haddouche has discovered a set of vulnerabilities that he collectively refers to as Mailsploit, and which allow an attacker to spoof email identities, and in some cases, run malicious code on the user's computer.
While the remote code execution part of Mailsploit is worrisome, the real issue is the email spoofing attack that circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters.
This allows miscreants to send emails with spoofed identities that both users and email servers have a hard time detecting as fakes. This, in turn, makes phishing attacks and malware-laden emails much harder to spot.
How Mailsploit works
The Mailsploit vulnerability stems from how email servers interpret email addresses encoded with RFC-1342. This is a standard adopted in 1992 that describes a way to encode non-ASCII characters inside email headers.
By rule, all content contained in an email header must be an ASCII character. The authors of email standards adopted RFC-1342 to automatically convert non-ASCII characters to standard ASCII characters and avoid errors when emails with a non-ASCII subject line or email address passed through a server.
Haddouche discovered that a large number of email clients would take an RFC-1342 encoded string, decode it to its non-ASCII state, but wouldn't sanitize it afterward to check for malicious code.
....
33 email clients and services affected so far
Haddouche discovered the Mailsploit flaws earlier this year and says he tested several email clients and web services to see which were vulnerable. He maintains a Google Docs document with his findings here.
...
...
Mailsploit can also run code on some machines
While the remote code execution part of Mailsploit is worrisome, the real issue is the email spoofing attack that circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters.
This allows miscreants to send emails with spoofed identities that both users and email servers have a hard time detecting as fakes. This, in turn, makes phishing attacks and malware-laden emails much harder to spot.
How Mailsploit works
The Mailsploit vulnerability stems from how email servers interpret email addresses encoded with RFC-1342. This is a standard adopted in 1992 that describes a way to encode non-ASCII characters inside email headers.
By rule, all content contained in an email header must be an ASCII character. The authors of email standards adopted RFC-1342 to automatically convert non-ASCII characters to standard ASCII characters and avoid errors when emails with a non-ASCII subject line or email address passed through a server.
Haddouche discovered that a large number of email clients would take an RFC-1342 encoded string, decode it to its non-ASCII state, but wouldn't sanitize it afterward to check for malicious code.
....
33 email clients and services affected so far
Haddouche discovered the Mailsploit flaws earlier this year and says he tested several email clients and web services to see which were vulnerable. He maintains a Google Docs document with his findings here.
...
...
Mailsploit can also run code on some machines
