Discussion:
[Mimedefang] mailsploit prevention in MD
Jan-Pieter Cornet
2017-12-06 00:37:39 UTC
Permalink
Another bug with it's own logo and website has appeared: www.mailsploit.com.

This targets MUAs. It abuses RFC2047 MIME encoding of headers to insert NUL characters.

The mails are relatively easy to stop using mimedefang. I've just rolled it out on our platform.

Boilerplate code (completely untested, but partly cut-n-pasted out of working code). Enjoy.


use Encode qw(decode);

sub filter_end ($) {
my($entity) = @_;

# ... any other processing you do in filter_end

my $fromline = $entity->head->get('From');
eval {
# MIME::Decode of the header might fail for unknown charset.
my $friendly_from = decode('MIME-Header', $fromline);
if ( $friendly_from =~ /\0/ ) {
md_syslog('warning', "$MsgID: Encoded NUL in From header: $fromline");
# XXX insert your own code to handle such messages, eg redirect, reject, or change the From: header
action_bounce('Encoded NUL in From rejected');
}
};
if ( $@ ) {
# you may, for security reasons, choose to reject here too.
md_syslog('warning', "$MsgID: Error decoding From: $fromline; error: $@");
}

# ... any more processing you wish to do in filter_end
}
--
Jan-Pieter Cornet <***@xs4all.nl>
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law
Kevin A. McGrail
2017-12-06 11:33:12 UTC
Permalink
Post by Jan-Pieter Cornet
www.mailsploit.com.
In the same vein and somewhat off-topic from an MD solution, here's a
solution via Apache SpamAssassin that I'm soliciting feedback regarding
on the SA users mailing list.

I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
 #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit
https://www.mailsploit.com/index

 #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit
https://www.mailsploit.com/index
tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta            KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2
Post by Jan-Pieter Cornet
= 2))
describe        KAM_MAILSPLOIT  Mail triggers known exploits per
mailsploit.com
score           KAM_MAILSPLOIT  10.0

Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpengu
Kevin A. McGrail
2017-12-06 13:06:39 UTC
Permalink
None of the mailsploit exploits target \n chars. I wouldn't worry
about those. My implementation only matches \0 chars. You don't need
[] around the char. Or you could write /\000/ as a full octal charcode.
From my research this morning, the exploit in general is the inclusion
of control codes by using encoding of base64 and utf8 to bypass rfc
sanity checks.  The specific examples he used show improper MUA parsing
of the \0 but it's unknown what some MUAs will do with control codes in
these fields.

So the [] was written because I expect other control codes to be brought
up to also block.  And originally I was trying to block \n but of course
a header has to have just one \n.
One of the mailsploit tests that I currently don't deal with encode an
email address in the username part of the sender. I should block those
too...
Yeah, I haven't looked at the exploits he's published before.  Any
technical details on that one?

Regards,
KAM
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mi
Dianne Skoll
2017-12-06 13:34:01 UTC
Permalink
On Wed, 6 Dec 2017 01:37:39 +0100
Post by Jan-Pieter Cornet
www.mailsploit.com.
Interesting. The code-injection part is worrying, but IMO the spoofing
part is completely uninteresting. There are so many ways to fool people
regarding DKIM/DMARC/SPF that you don't need malformed messages to do
it.

Regards,

Dianne.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listin

Loading...