German security researcher Sabri Haddouche has discovered a set of vulnerabilities that he collectively refers to as Mailsploit, and which allow an attacker to spoof email identities, and in some cases, run malicious code on the user's computer.
While the code execution part of Mailsploit is worrisome, the real issue is the email spoofing attack that circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters.
This allows miscreants to send emails with spoofed identities that both users and email servers have a hard time detecting as fakes. This, in turn, makes phishing attacks and malware-laden emails much harder to spot.
The Mailsploit vulnerability stems from how email servers interpret email addresses encoded with RFC-1342. This is a standard adopted in 1992 that describes a way to encode non-ASCII characters inside email headers.
By rule, all content contained in an email header must be an ASCII character. The authors of email standards adopted RFC-1342 to automatically convert non-ASCII characters to standard ASCII characters and avoid errors when emails with a non-ASCII subject line or email address passed through a server.
Haddouche discovered that a large number of email clients would take an RFC-1342 encoded string, decode it to its non-ASCII state, but wouldn't sanitize it afterward to check for malicious code.
Furthermore, if the RFC-1342-decoded email string contained a null-byte or two or more email addresses, the email client would read only the email address before the null-byte, or the first valid email it encountered.
This means that an attacker can create a valid email address whose username is actually an RFC-1342-encoded string:
... which is decoded inside an email client to:
Red = actual domain, Blue = actual username
Vulnerable email clients parsing these strings will read only the first email (email@example.com), ignoring the real email domain (@mailsploit.com). The reason, as explained above, is the null-byte (\0) or because firstname.lastname@example.org is the first valid email address the client encounters, and ignores the rest of the string.
Haddouche discovered the Mailsploit flaws earlier this year and says he tested several email clients and web services to see which were vulnerable. He maintains a Google Docs document with his findings here.
Despite contacting all vulnerable email clients and services in private, the researcher says that only 8 of the 33 released patches to correct the email address parsing bug.
12 other vendors triaged the bug but did not respond with when and if they intended to fix the issue, while 12 other vendors didn't even acknowledge the bug report.
Mozilla and Opera said from the get-go they won’t fix the bug because they consider it a server-side issue.
Even worse, emails addresses encoded via the Mailsploit method will not look suspicious to modern email servers running anti-spoofing protocols like DMARC.
"DMARC is not attacked directly, but rather bypassed by taking advantage of how the clients display the email sender name," Haddouche explains. "The server still validates properly the DKIM signature of the original domain and not the spoofed one."
"This makes these spoofed emails virtually unstoppable at this point in time," Haddouche said.
Furthermore, the same Mailsploit flaws that allow attackers to hide multiple email addresses inside the email's "From:" field also allow them to package actual malicious code.
Some webmail clients that do an extremely poor job at sanitizing the decoded string will execute this payload and run malicious code on the user's computer, such as XSS and other code injection attacks.
The good news is that not all clients vulnerable to email spoofing via the Mailsploit flaws are vulnerable to the code injection attacks, meaning some basic email address filtering takes place in some cases.
Below is a video of Haddouche carrying out a Mailsploit attack and sending spoofed emails to an iOS email client. Users can send spoofed emails themselves via a demo widget the expert has set up on a dedicated website.