[imp] Fwd: E-mail address spoofing with RLO

Wed May 25 12:37:22 UTC 2011

Quoting ANANT S ATHAVALE <asa at isac.gov.in>:

> Hello,
>
> Thanks for the info.
>
> Regards,
> ANANT.
>
> ----- Message from jan at horde.org ---------
>     Date: Wed, 25 May 2011 13:55:23 +0200
>     From: Jan Schneider <jan at horde.org>
>  Subject: Re: [imp] Fwd: E-mail address spoofing with RLO
>       To: imp at lists.horde.org
>
>
>> So, basically what this says is, that you can't trust an email's  
>> sender name? Suprise. Of course IMP is affected to, any client that  
>> properly displays Unicode is affected.

A solution would be to ensure that horde resets the "right-to-left override"
between display name and address

>>
>> Zitat von ANANT S ATHAVALE <asa at isac.gov.in>:
>>
>>> Dear List,
>>>
>>> Can anybody confirm, IMP is not affected by this?
>>>
>>> -ANANT.
>>>
>>>   Date: Tue, 24 May 2011 18:58:19 +0200
>>>   From: Wouter Coekaerts <wouter at coekaerts.be>
>>> Subject: E-mail address spoofing with RLO
>>>     To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk
>>>
>>> E-mail address spoofing with RLO -  
>>> http://wouter.coekaerts.be/2011/email-rlo
>>>
>>> Introduction
>>> =============
>>> When we reply to an e-mail, the address we see in the To-field serves
>>> a purpose beyond getting our answer back to original sender. We attach
>>> a meaning to these addresses. If we see john.smith at example.com, we
>>> expect that we're really sending a mail to someone at the Example
>>> company.
>>> We may have learned not to trust the "From" address: that's about as
>>> unreliable as the return address on the back of an envelope. But we
>>> should be careful with what we think we see in To-field too.
>>>
>>> Problem
>>> =======
>>> The problem comes from the unicode "right-to-left override" (RLO,
>>> U+202E) character. It's an invisible character, that forces the text
>>> after it to be treated as right-to-left. For example "abc[RLO]def" is
>>> displayed as "abcfed". It's well known that these kind of characters
>>> have security implications[1][2], it has led to other problems[3]
>>> before, and this is a new one in that category:
>>> It can be abused to display an E-mail address backwards, so that it
>>> appear to be on a different domain than it actually is.
>>>
>>> Details
>>> =======
>>> An RLO is usually not accepted in an address, but it is accepted in
>>> the display name. The display name and the address are often shown
>>> together, allowing the RLO in the display name to affect how the
>>> address is shown. For example, "Firstname Lastname [RLO]
>>> <moc.mitciv at attacker.com>" is displayed as "Firstname Lastname
>>> <moc.rekcatta at victim.com> ".
>>>
>>> This can not be used to spoof arbitrary addresses because the
>>> attacker's reversed real domain is still in it. But it can be used to
>>> spoof any domain. And a well chosen domain name reversed can look like
>>> a convincing foreign real name in the first part of the address.
>>> This problem is worse than spoofing of the From-addresses, because an
>>> attacker can have a whole conversation without an indication to the
>>> victim that he's not who (from the domain) he pretends to be.
>>>
>>> Affected software
>>> =================
>>> This affects most e-mail clients. These are the ones I tested, and
>>> whose vendors have been made aware of this in 2009.
>>> * Gmail: still vulnerable
>>> * Hotmail: Fixed in February 2010 [4]
>>> * Outlook 2007 (and later?): no fix announced, presumably still vulnerable
>>> * Outlook Web Access: no fix announced, presumably still vulnerable
>>> * Evolution: still vulnerable (Bug 601172 [5])
>>> * KMail: Fixed since December 2009, KDE 4.2.x (never released),  
>>> 4.3.5 and 4.4.0
>>> * And more...
>>>
>>> 1: http://unicode.org/reports/tr9/#Explicit_Directional_Overrides
>>> 2: http://unicode.org/reports/tr36/#Bidirectional_Text_Spoofing
>>> 3: http://www.mozilla.org/security/announce/2009/mfsa2009-62.html
>>> 4: http://technet.microsoft.com/en-us/security/cc308575.aspx#0210
>>> 5: https://bugzilla.gnome.org/show_bug.cgi?id=601172
>>>
>>>
>>> Regards,
>>>
>>> Anant Athavale.
>>>
>>> ------------------------------------------------------------------------------
>>> Confidentiality Notice: This e-mail message, including any  
>>> attachments, is for
>>> the sole use of the intended recipient(s) and may contain confidential and
>>> privileged information. Any unauthorized review, use, disclosure or
>>> distribution is prohibited. If you are not the intended recipient, please
>>> contact the sender by reply e-mail and destroy all copies of the original
>>> message.
>>> ------------------------------------------------------------------------------
>>>
>>> -- 
>>> IMP mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>
>>
>> Jan.
>>
>> -- 
>> Do you need professional PHP or Horde consulting?
>> http://horde.org/consulting/
>>
>> -- 
>> IMP mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>
>
>
> ----- End message from jan at horde.org -----
>
>
>
> Regards,
>
> Anant Athavale.
>
> ------------------------------------------------------------------------------
> Confidentiality Notice: This e-mail message, including any  
> attachments, is for
> the sole use of the intended recipient(s) and may contain confidential and
> privileged information. Any unauthorized review, use, disclosure or
> distribution is prohibited. If you are not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original
> message.
> ------------------------------------------------------------------------------
>
> -- 
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>

--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5267 bytes
Desc: S/MIME Signatur
URL: <http://lists.horde.org/archives/imp/attachments/20110525/f1b25b02/attachment.bin>