Tuesday, December 5, 2017

Mailsploit Lets Attackers Send Spoofed Emails on popular email clients and servers










The main reason for SPAM 

Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Email Servers, therefore circumventing spoofing protection mechanisms SPAM filters.

Bugs were found in over 30 applications, including prominent ones like Apple Mail (MacOS, iOS and watchOS), Mozilla Thunderbird, various Microsoft email clients, Yahoo! Mail, ProtonMail and others.

In addition to the spoofing vulnerability, some of the tested applications also proved to be vulnerable to XSS and code injection attacks.


How Mailsploit works

Attacker can create a valid email address whose username is actually an RFC-1342-encoded string:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

Decoded this becomes which contains null-byte (\0):


potus@whitehouse.gov\0(gov@whitehouse.gov)@mailsploit.com

The problem is most mail systems will ignore everything after null-byte (\0). 


Thus potus@whitehouse.gov would be scanned ignoring the real exploit domain @mailsploit.com.  

Thus when you reply to this email, it would choose first email. 

Reply-To: potus@whitehouse.gov

Who does this affect ?

Mail Clients affected (see full actively maintained spreadsheet


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Mozilla Thunderbird ≤ 52.5.0 / SeaMonkey ≤ 2.4.8 MACOS WINDOWS
Mail for Windows 10 WINDOWS
Microsoft Outlook 2016 MACOS WINDOWS
Yahoo! Mail IOS
Yahoo! Mail ANDROID
[A bug bounty program that does not allow disclosure yet] ANDROID
[A bug bounty program that does not allow disclosure yet] IOS
Spark ≤ 1.4.1.392 MACOS
Spark IOS
ProtonMail ANDROID IOS
Polymail MACOS
Airmail ≤ 3.3.3 MACOS
BlueMail ≤ 1.9.2.62 ANDROID
TypeApp ANDROID IOS
AquaMail ANDROID
Opera Mail MACOS WINDOWS
Postbox ≤ 5.0.18 MACOS WINDOWS
Newton ANDROID MACOS WINDOWS
Guerrilla Mail ANDROID
Email Exchange + by MailWise ANDROID
AOL Mail ANDROID
TouchMail WINDOWS
Mailbird WINDOWS

Source
https://www.mailsploit.com/index

No comments:

Post a Comment