Mailsploit Vulnerabilities Allow Attackers to Send Spoofed Emails and Run Malicious Code

A German security researcher has discovered a set of vulnerabilities dubbed "Mailsploit" that allow an attacker to send spoofed email identities on over 33 email clients to run malicious code.

Malicious scripts, such as cross-site scripting and other injection codes, can be encoded with RFC-1342. When the client mail server decodes the script, the malicious code will execute due to poor sanitization. More than 33 email clients are vulnerable to this attack method, at the time of this writing.

An attacker can create an email address with a username that is actually a RFC-1342 encoded string that, when decoded inside and the email client, contains a null-byte or two or more email addresses. The email client will only read the email address before the null-byte or the first valid email it sees.

Vulnerable email clients will stop parsing the string at xyz[@]abc[.]com because it is first email address it sees and because of the null-byte (\0) after the first email address, therefore ignoring the real domain of [@]mailxxxsploit[.]com.

Furthermore, because the encoded username will not appear suspicious to email servers, anti-spoofing protocols such as Domain-based Message Authentication, Reporting and Conformance (DMARC) is bypassed, and the DomainKeys Identified Mail (DKIM) signature of the original domain will be validated instead of the spoofed one.

There could be wider attacks and misuse of the vulnerability.