Re: [Mimedefang] mailsploit prevention in MD

[Dianne Skoll]

On Wed, 6 Dec 2017 01:37:39 +0100
Jan-Pieter Cornet  wrote:

> Another bug with it's own logo and website has appeared:
> www.mailsploit.com.

Interesting.  The code-injection part is worrying, but IMO the spoofing
part is completely uninteresting.  There are so many ways to fool people
regarding DKIM/DMARC/SPF that you don't need malformed messages to do
it.

Regards,

Dianne.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mailsploit prevention in MD

[Kevin A. McGrail]

On 12/6/2017 7:52 AM, Jan-Pieter Cornet wrote:
None of the mailsploit exploits target \n chars. I wouldn't worry 
about those. My implementation only matches \0 chars. You don't need 
[] around the char. Or you could write /\000/ as a full octal charcode.
From my research this morning, the exploit in general is the inclusion 
of control codes by using encoding of base64 and utf8 to bypass rfc 
sanity checks.  The specific examples he used show improper MUA parsing 
of the \0 but it's unknown what some MUAs will do with control codes in 
these fields.


So the [] was written because I expect other control codes to be brought 
up to also block.  And originally I was trying to block \n but of course 
a header has to have just one \n.
One of the mailsploit tests that I currently don't deal with encode an 
email address in the username part of the sender. I should block those 
too... 
Yeah, I haven't looked at the exploits he's published before.  Any 
technical details on that one?


Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] mailsploit prevention in MD

[Kevin A. McGrail]

On 12/5/2017 7:37 PM, Jan-Pieter Cornet wrote:
Another bug with it's own logo and website has appeared: 
www.mailsploit.com.
In the same vein and somewhat off-topic from an MD solution, here's a 
solution via Apache SpamAssassin that I'm soliciting feedback regarding 
on the SA users mailing list.


I've added these rules to KAM.cf and would appreciate feedback.

#MAILSPLOIT CONTROL CHARACTER - Thanks to Jan-Pieter Cornet for the idea
 #NUL
header   __KAM_MAILSPLOIT1   From =~ /[\0]/
describe __KAM_MAILSPLOIT1   RFC2047 Exploit 
https://www.mailsploit.com/index


 #\n Multiple inthe From Header
header   __KAM_MAILSPLOIT2    From =~ /[\n]/
describe __KAM_MAILSPLOIT2    RFC2047 Exploit 
https://www.mailsploit.com/index

tflags   __KAM_MAILSPLOIT2    multiple maxhits=2

meta    KAM_MAILSPLOIT  (__KAM_MAILSPLOIT1 || (__KAM_MAILSPLOIT2 
>= 2))
describe    KAM_MAILSPLOIT  Mail triggers known exploits per 
mailsploit.com

score   KAM_MAILSPLOIT  10.0

Regards,
KAM
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] mailsploit prevention in MD

[Jan-Pieter Cornet]

Another bug with it's own logo and website has appeared: www.mailsploit.com.

This targets MUAs. It abuses RFC2047 MIME encoding of headers to insert NUL 
characters.

The mails are relatively easy to stop using mimedefang. I've just rolled it out 
on our platform.

Boilerplate code (completely untested, but partly cut-n-pasted out of working 
code). Enjoy.


use Encode qw(decode);

sub filter_end ($) {
my($entity) = @_;

# ... any other processing you do in filter_end

my $fromline = $entity->head->get('From');
eval {
# MIME::Decode of the header might fail for unknown charset.
my $friendly_from = decode('MIME-Header', $fromline);
if ( $friendly_from =~ /\0/ ) {
md_syslog('warning', "$MsgID: Encoded NUL in From header: 
$fromline");
# XXX insert your own code to handle such messages, eg redirect, 
reject, or change the From: header
action_bounce('Encoded NUL in From rejected');
}
};
if ( $@ ) {
# you may, for security reasons, choose to reject here too.
md_syslog('warning', "$MsgID: Error decoding From: $fromline; error: 
$@");
}

# ... any more processing you wish to do in filter_end
}


--
Jan-Pieter Cornet 
"Any sufficiently advanced incompetence is indistinguishable from malice."
- Grey's Law



signature.asc
Description: OpenPGP digital signature
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang