GNOME Bugzilla – Bug 601172
E-mail address spoofing using unicode RLO character
Last modified: 2021-05-19 12:27:55 UTC
Security
Humm, can't find it. It may be limited to evolution developers. If you see that option, please make this bug hidden to developers only, so I can add the details.
Done. Hopefully you can still see it yourself.
Cool, thanks. So, here's the report I received. The issue is real and very well-explained in the document. The solution is simply to render the sender name and address separately (say, using two different Pango Layouts, two separate labels, etc.) ========================== Hi, I'm writing you to report the following discovered security vulnerability: A unicode "right-to-left override" (RLO, U+202E) character forces the following characters to be treated as right-to-left characters. An attacker can use this to make an E-mail address appear to be on a different domain than it actually is. Details ------- Most E-mail clients do not take the dangers of bidirectional control characters into consideration. This makes it possible for an E-mail address to appear to be on a different domain than it actually is. An RLO is usually not accepted in an address, but it is accepted in the display name. The display name and the address are often shown together, allowing the RLO in the display name to affect how the address is shown. For example, "Firstname Lastname [RLO] <moc.mitciv@attacker.com>" is displayed as "Firstname Lastname <moc.rekcatta@victim.com> ". The fact that the attackers real domain is still visible (reversed) in the address means that this can not be used to spoof arbitrary addresses. But it can be used to spoof any domain (and a well chosen domain name reversed can look like a convincing foreign real name). From-addresses on E-mails are often not reliable. What makes this issue different from "normal" spoofing is that replies sent to such a spoofed address still arrive at the attacker. An attacker can have a whole conversation without any indication to the victim that the person he is mailing with is not from the shown domain. Affected software ----------------- * Evolution 2.26.3 * KMail 1.12.2 (KDE 4.3.2) * Microsoft Outlook Web Access (no visible version number) * Gmail * And more probably... References ---------- UAX #9, Unicode Bidirectional Algorithm (http://unicode.org/reports/tr9/#Explicit_Directional_Overrides) and UTR #36, Unicode Security Considerations (http://www.unicode.org/reports/tr36/#Bidirectional_Text_Spoofing) warn about the security implications of bidirectional characters and overrides. Regards, Wouter.
Is a CVE for this already in progress? If not you might want to alert Red Hat's security team.
I will.
Done.
CC'ing original reporter.
I think I understand this. Sounds like we need to render the name part and address part separately pretty much everywhere they're shown together in the UI. I think we'll have to do this on a case-by-case basis, unfortunately. I would say the message summary list, message content, and message composer window would be the top priorities. Can you think of any other critical cases in Evolution, perhaps in the calendar or address book modules? After that's done I guess we'll just have to fix the remaining cases as we find them. Could I also get an example of an actual exploit for testing purposes?
There are ways to "type" an RLO directly in various programs (and then copy-paste it,...). But to keep it simple, here's an example encoded from-header. You could save a message, edit it with a text editor and import it again in Evolution. From: =?UTF-8?B?TW9jIExpYW1nIOKAriA=?= <moc.elpmaxe@gmail.com>
Any news on this problem? I'm planning on posting something about this to bugtraq & full-disclosure soon. (Keep in mind Evolution is not the only one affected.)
FYI, I'm about to publish something about this soon (for real this time). I assume Evolution is still vulnerable.
mbarnes: ping?
Behdad: What is the CVE number?
I don't think this is public yet. Or at least I can't find any reference.
The problem has been made public months ago (http://wouter.coekaerts.be/2011/email-rlo and mails). Maybe this bug should be made public in bugzilla too now? As far as I know there is no CVE assigned.
You can get a CVE assigned if you contact vendor-sec@lst.de.
Still valid in 3.2.3.
Opening this bug report as per comment #15.
FWIW: I've just tried with 3.20.5 and it's rendering Moc Liamg <moc.elpmaxe@gmail.com> everywhere. So I guess it's still an issue.
Tobias: I think that actually means that it's fixed in that location If I understand correctly, for this address: =?UTF-8?B?TW9jIExpYW1nIOKAriA=?= <moc.elpmaxe@gmail.com> Correct : Moc Liamg <moc.elpmaxe@gmail.com> Incorrect: Moc Liamg <moc.liamg@example.com>
GNOME is going to shut down bugzilla.gnome.org in favor of gitlab.gnome.org. As part of that, we are mass-closing older open tickets in bugzilla.gnome.org (resources are unfortunately quite limited so not every ticket can get handled). If you can still reproduce the situation described in this ticket in a recent and supported software version, then please follow https://wiki.gnome.org/Community/GettingInTouch/BugReportingGuidelines and create a new bug report ticket at https://gitlab.gnome.org/GNOME/evolution/-/issues/ Thank you for your understanding and your help.