[imp] Fwd: E-mail address spoofing with RLO
Jan Schneider
jan at horde.org
Wed May 25 11:55:23 UTC 2011
So, basically what this says is, that you can't trust an email's
sender name? Suprise. Of course IMP is affected to, any client that
properly displays Unicode is affected.
Zitat von ANANT S ATHAVALE <asa at isac.gov.in>:
> Dear List,
>
> Can anybody confirm, IMP is not affected by this?
>
> -ANANT.
>
> Date: Tue, 24 May 2011 18:58:19 +0200
> From: Wouter Coekaerts <wouter at coekaerts.be>
> Subject: E-mail address spoofing with RLO
> To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk
>
> E-mail address spoofing with RLO - http://wouter.coekaerts.be/2011/email-rlo
>
> Introduction
> =============
> When we reply to an e-mail, the address we see in the To-field serves
> a purpose beyond getting our answer back to original sender. We attach
> a meaning to these addresses. If we see john.smith at example.com, we
> expect that we're really sending a mail to someone at the Example
> company.
> We may have learned not to trust the "From" address: that's about as
> unreliable as the return address on the back of an envelope. But we
> should be careful with what we think we see in To-field too.
>
> Problem
> =======
> The problem comes from the unicode "right-to-left override" (RLO,
> U+202E) character. It's an invisible character, that forces the text
> after it to be treated as right-to-left. For example "abc[RLO]def" is
> displayed as "abcfed". It's well known that these kind of characters
> have security implications[1][2], it has led to other problems[3]
> before, and this is a new one in that category:
> It can be abused to display an E-mail address backwards, so that it
> appear to be on a different domain than it actually is.
>
> Details
> =======
> An RLO is usually not accepted in an address, but it is accepted in
> the display name. The display name and the address are often shown
> together, allowing the RLO in the display name to affect how the
> address is shown. For example, "Firstname Lastname [RLO]
> <moc.mitciv at attacker.com>" is displayed as "Firstname Lastname
> <moc.rekcatta at victim.com> ".
>
> This can not be used to spoof arbitrary addresses because the
> attacker's reversed real domain is still in it. But it can be used to
> spoof any domain. And a well chosen domain name reversed can look like
> a convincing foreign real name in the first part of the address.
> This problem is worse than spoofing of the From-addresses, because an
> attacker can have a whole conversation without an indication to the
> victim that he's not who (from the domain) he pretends to be.
>
> Affected software
> =================
> This affects most e-mail clients. These are the ones I tested, and
> whose vendors have been made aware of this in 2009.
> * Gmail: still vulnerable
> * Hotmail: Fixed in February 2010 [4]
> * Outlook 2007 (and later?): no fix announced, presumably still vulnerable
> * Outlook Web Access: no fix announced, presumably still vulnerable
> * Evolution: still vulnerable (Bug 601172 [5])
> * KMail: Fixed since December 2009, KDE 4.2.x (never released),
> 4.3.5 and 4.4.0
> * And more...
>
> 1: http://unicode.org/reports/tr9/#Explicit_Directional_Overrides
> 2: http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
> 3: http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
> 4: http://technet.microsoft.com/en-us/security/cc308575.aspx#0210
> 5: https://bugzilla.gnome.org/show_bug.cgi?id=601172
>
>
> Regards,
>
> Anant Athavale.
>
> ------------------------------------------------------------------------------
> Confidentiality Notice: This e-mail message, including any
> attachments, is for
> the sole use of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> ------------------------------------------------------------------------------
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
Jan.
--
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/
More information about the imp
mailing list