Posts Tagged ‘email’

Mail.dll is not affected by Mailsploit

Tuesday, December 5th, 2017

The Mailsploit vulnerability stems from how email servers/clients interpret email addresses containing encoded words. Incorrectly handling those, could allow an attacker to spoof email identities.

Recent specs (RFC-2822 and RFC-5322) don’t allow using encoded-words for email addresses (addr-spec):

3.4. Address Specification:
address = mailbox / group
mailbox = name-addr / addr-spec
name-addr = [display-name] angle-addr
angle-addr = [CFWS] “<" addr-spec ">” [CFWS] / obs-angle-addr
display-name = phrase

Here are the unit test that show how Mail.dll behaves when such malicious emails are parsed. Please note that encoded-words are not decoded when part of email address.

[Test]
public void Test1()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.Headers["From"]);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.From[0].Address);                                      // Correct

    Assert.AreEqual(
        null, 
        mail.From[0].Name);                                         // Correct
}
[Test]
public void Test2()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=", 
        mail.Headers["From"]);

    Assert.AreEqual(
        null, 
        mail.From[0].Address);                // Correct

    Assert.AreEqual(
        "potus@whitehouse.gov", 
        mail.From[0].Name);      // Correct - this is correct behavior, 
                                 // sender can put anything in the name field.
}
[Test]
public void Test3()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.Headers["From"]);

    Assert.AreEqual(
        @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.From[0].Address);            // Correct

    Assert.AreEqual(
        null, 
        mail.From[0].Name);               // Correct
}

Mail.dll allows anything in the name part of the address headers:

[Test]

public void Test4()
{
    string eml = @"From: =?utf-8?Q?=42=45=47=49=4E=20=2F"
        + @"=20=20=2F=20=00=20=50=41=53=53=45=44" 
        + @"=20=4E=55=4C=4C=20=42=59=54=45=20=2F=20=0D=0A" 
        + @"=20=50=41=53=53=45=44=20=43=52" 
        + @"=4C=46=20=2F=20=45=4E=44?= <test@example.com>

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "test@example.com", 
        mail.From[0].Address);

    Assert.AreEqual(
        "BEGIN /  / \0 PASSED NULL BYTE / \r\n PASSED CRLF / END", 
        mail.From[0].Name); 

    // Note the \r\n (new line) and \0 (null) characters
}

Specification allow using encoded-words in the name (RFC2047 – 5. Use of encoded-words in message headers. (3) )
Encoded words are used to encode non-ASCII characters, for example national characters like umlauts (ä, ö, ü).

RFC2047 imposes no restrictions what characters can be encoded, which means that zero byte (\0) and new lines (\r\n) are valid characters.

Client applications must ensure that such special charters don’t ‘push’ the actual email address (“”test@example.com”) outside of control, in such way, that it becomes not visible.
It is crucial for them to display the email address (test@example.com) no matter what is in the name field.