all your emails belong to us exploiting vulnerable email ......exploiting vulnerable email clients...
TRANSCRIPT
![Page 1: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/1.jpg)
ALL YOUR EMAILS BELONG TO US
March 2017
Ilya Nesterov, Max Goncharov
Exploiting vulnerable email clients via domain name collision
![Page 2: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/2.jpg)
Ilya Nesterov
I break thingsI build things to break things
Security researcherShape Security
Who we are
Max Goncharov
Security researcherThreat OSINTVuln. hunter
Shape Security
![Page 3: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/3.jpg)
Email? What is wrong with that?
![Page 4: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/4.jpg)
Email? What is wrong with that?
AUTODISCOVER
![Page 5: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/5.jpg)
20102008 2009 20172006
Feature for Office 2007
Autodiscover announced as a feature for the upcoming product release
Autodiscover : History
![Page 6: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/6.jpg)
20102009 2017
IntroducedApril 2008
Introduced as version 0.1 with preliminary description of the service.
Autodiscover : History
20082006
![Page 7: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/7.jpg)
20102009 2017
Thunderbirdconfig-v1.1.xml
Alternative of Autodiscover for Thunderbird proposed in 2008 and released in 2009.
Autodiscover : History
2006 2008
![Page 8: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/8.jpg)
2017
Lync Server2010
Part of mobility program for easier data exchange. Introduced HTTP and HTTPS Autodiscover process.
Autodiscover : History
2006 2008 20102009
![Page 9: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/9.jpg)
Here we areWith Autodiscover
We found severe vulnerabilities in some autodiscover client implementations.
Autodiscover : History
2006 2008 2009 2010 2017
![Page 10: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/10.jpg)
Autodiscover : Process
1. Define the candidate pool
2. Try each server from a list
![Page 11: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/11.jpg)
Defining the candidate pool
1. Query LDAP or AD servers2. Derive URL from the email address3. Query DNS for Autodiscover SRV records4. Send an unauthenticated GET request5. Prioritize
![Page 12: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/12.jpg)
Derive URL from the email
1. https://+ {domain} + /autodiscover/autodiscover.xml 2. https://autodiscover. + {domain} + /autodiscover/autodiscover.xml
jarzt.com
1. https://jarzt.com /autodiscover/autodiscover.xml 2. https://autodiscover.jarzt.com/autodiscover/autodiscover.xml
![Page 14: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/14.jpg)
Email address complexity
RFC 5321 RFC 5322 RFC 6531 RFC 6532
"()<>[]:,;@\\\"!#$%&'-/=?^_`{}| ~.a"@example.org
"tom@knopf77"@jarzt.com
![Page 15: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/15.jpg)
Samsung Mail Client
autodiscover.example.com.au
autodiscover.com.au
Announced as fixed: January 2017
CVE-2016-9940
![Page 16: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/16.jpg)
iOS Mail app
autodiscover. + <domain>
autodiscover.com
tomknopf77@example@com
21
Announced as fixed: March 2017. iOS 10.3
CVE-2017-2414
![Page 17: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/17.jpg)
We need more data!
8K+Mozilla public suffix list
1.5K+IANA TLD list
![Page 18: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/18.jpg)
Let’s build a hacking machine!*
* It’s just a simple HTTP sink
Email clients INTERNET
BUILD AND DEPLOY- 26 autodiscover domains- HTTP, HTTPS ports- Certificates: Let’s Encrypt - Accept all requests
HTTP servers
Data Store,Analytics
![Page 19: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/19.jpg)
Logs! This is … scary!
![Page 20: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/20.jpg)
13MTotal requests received
26Domains in experiment
7Month periodSep 2016 - March 2017
9MRequests with Basic Authentication header
2473Different Autodiscover client user-agents
212KEmail accounts affected from 65K different domains
RESULTS
![Page 21: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/21.jpg)
Users:- use recommended email clients
- install security updates
MITIGATION
Enterprise:- follow official deployment guides
- use only supported email clients
- test all third party clients
- check your deployment regularly
Developers:- follow Autodiscover specification
- derive local and domain parts properly
- remember TLD and public suffix list
- test, test, test
ICANN:- ban autodiscover domain registration
![Page 22: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/22.jpg)
EMAIL IS COMPLICATEDIt is even more complicated than you think!
READ THE DOCS!Even if you read it. Read between the lines
NOBODY IS PERFECTWe all make mistakes. Let’s learn from someone else’s experience
Conclusion
![Page 23: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/23.jpg)
www.shapesecurity.comDemo!
![Page 24: ALL YOUR EMAILS BELONG TO US Exploiting vulnerable email ......Exploiting vulnerable email clients via domain name collision. Ilya Nesterov I break things ... Derive URL from the email](https://reader030.vdocuments.net/reader030/viewer/2022040307/5ed1752e0d91df568145f460/html5/thumbnails/24.jpg)
www.shapesecurity.comThank You