Mailsploit problem in responce of BODYSTRUCTURE

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Mailsploit problem in responce of BODYSTRUCTURE

TACHIBANA Masashi
Hi,

I tried to see a mail that have a strange From header in bellow URL:

https://www.mailsploit.com/index

Then, I got BODYSTRUCTURE response contain next:

((NIL NIL "service" "paypal.com"))

Are this problem already founded by anyone?
So already fixed?

--
TACHIBANA Masashi  QUALITIA CO., LTD.
mailto:[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of BODYSTRUCTURE

Aki Tuomi-2

On 08.12.2017 11:47, TACHIBANA Masashi wrote:

> Hi,
>
> I tried to see a mail that have a strange From header in bellow URL:
>
> https://www.mailsploit.com/index
>
> Then, I got BODYSTRUCTURE response contain next:
>
> ((NIL NIL "service" "paypal.com"))
>
> Are this problem already founded by anyone?
> So already fixed?
>
> --
> TACHIBANA Masashi  QUALITIA CO., LTD.
> mailto:[hidden email]
>
>

Can you maybe expand a bit why you consider this a problem?

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of BODYSTRUCTURE

Josef 'Jeff' Sipek
In reply to this post by TACHIBANA Masashi
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:

> Hi,
>
> I tried to see a mail that have a strange From header in bellow URL:
>
> https://www.mailsploit.com/index
>
> Then, I got BODYSTRUCTURE response contain next:
>
> ((NIL NIL "service" "paypal.com"))
>
> Are this problem already founded by anyone?
> So already fixed?

The metasploit generated emails contain a fake Reply-To header.  Are you
sure that the above isn't the Reply-To header?

The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes
ENVELOPE).  From the IMAP RFC:

        The fields of the envelope structure are in the following order:
        date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
        message-id.

Can you paste the whole IMAP command response?

Thanks,

Jeff.
Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of ENVELOPE

TACHIBANA Masashi
Hi,

Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
For example:

A01 UID FETCH 24 (ENVELOPE)
* 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
A01 OK Fetch completed (0.000 secs).

> The metasploit generated emails contain a fake Reply-To header.  Are you
> sure that the above isn't the Reply-To header?

I did test also Reply-To header, then had same response as above.


----- Original Message -----

> On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > Hi,
> >
> > I tried to see a mail that have a strange From header in bellow URL:
> >
> > https://www.mailsploit.com/index
> >
> > Then, I got BODYSTRUCTURE response contain next:
> >
> > ((NIL NIL "service" "paypal.com"))
> >
> > Are this problem already founded by anyone?
> > So already fixed?
>
> The metasploit generated emails contain a fake Reply-To header.  Are you
> sure that the above isn't the Reply-To header?
>
> The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes
> ENVELOPE).  From the IMAP RFC:
>
> The fields of the envelope structure are in the following order:
> date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
> message-id.
>
> Can you paste the whole IMAP command response?
>
> Thanks,
>
> Jeff.
>

--
TACHIBANA Masashi  QUALITIA CO., LTD.
mailto:[hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of ENVELOPE

TACHIBANA Masashi
Hi,

Additionally, I just tried bellow:

 From: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]
 Reply-To: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]


Thanks


----- Original Message -----

> Hi,
>
> Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
> For example:
>
> A01 UID FETCH 24 (ENVELOPE)
> * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
> A01 OK Fetch completed (0.000 secs).
>
> > The metasploit generated emails contain a fake Reply-To header.  Are you
> > sure that the above isn't the Reply-To header?
>
> I did test also Reply-To header, then had same response as above.
>
>
> ----- Original Message -----
> > On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > > Hi,
> > >
> > > I tried to see a mail that have a strange From header in bellow URL:
> > >
> > > https://www.mailsploit.com/index
> > >
> > > Then, I got BODYSTRUCTURE response contain next:
> > >
> > > ((NIL NIL "service" "paypal.com"))
> > >
> > > Are this problem already founded by anyone?
> > > So already fixed?
> >
> > The metasploit generated emails contain a fake Reply-To header.  Are you
> > sure that the above isn't the Reply-To header?
> >
> > The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes
> > ENVELOPE).  From the IMAP RFC:
> >
> > The fields of the envelope structure are in the following order:
> > date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
> > message-id.
> >
> > Can you paste the whole IMAP command response?
> >
> > Thanks,
> >
> > Jeff.
> >
>
> --
> TACHIBANA Masashi  QUALITIA CO., LTD.
> mailto:[hidden email]
>
>
>
--
TACHIBANA Masashi  QUALITIA CO., LTD.
mailto:[hidden email]

株式会社クオリティア
http://www.qualitia.co.jp/


Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of ENVELOPE

TACHIBANA Masashi
Hi,

I'm sorry, I had been tested by miss From/Reply-To,

If From/Reply-To addresses are bellow:

 From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
 Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com

ENVELOPE will come bellow:

A01 UID FETCH 25 (ENVELOPE)
* 5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
A01 OK Fetch completed (0.000 secs).

It seems correct response.

Thank you.

----- Original Message -----

> Hi,
>
> Additionally, I just tried bellow:
>
>  From: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]
>  Reply-To: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]
>
>
> Thanks
>
>
> ----- Original Message -----
> > Hi,
> >
> > Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
> > For example:
> >
> > A01 UID FETCH 24 (ENVELOPE)
> > * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
> > A01 OK Fetch completed (0.000 secs).
> >
> > > The metasploit generated emails contain a fake Reply-To header.  Are you
> > > sure that the above isn't the Reply-To header?
> >
> > I did test also Reply-To header, then had same response as above.
> >
> >
> > ----- Original Message -----
> > > On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
> > > > Hi,
> > > >
> > > > I tried to see a mail that have a strange From header in bellow URL:
> > > >
> > > > https://www.mailsploit.com/index
> > > >
> > > > Then, I got BODYSTRUCTURE response contain next:
> > > >
> > > > ((NIL NIL "service" "paypal.com"))
> > > >
> > > > Are this problem already founded by anyone?
> > > > So already fixed?
> > >
> > > The metasploit generated emails contain a fake Reply-To header.  Are you
> > > sure that the above isn't the Reply-To header?
> > >
> > > The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes
> > > ENVELOPE).  From the IMAP RFC:
> > >
> > > The fields of the envelope structure are in the following order:
> > > date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
> > > message-id.
> > >
> > > Can you paste the whole IMAP command response?
> > >
> > > Thanks,
> > >
> > > Jeff.
> > >
> >
> > --
> > TACHIBANA Masashi  QUALITIA CO., LTD.
> > mailto:[hidden email]
> >
> >
> >
> --
> TACHIBANA Masashi  QUALITIA CO., LTD.
> mailto:[hidden email]
>
> 株式会社クオリティア
> http://www.qualitia.co.jp/
>
>
>
--
TACHIBANA Masashi  QUALITIA CO., LTD.
mailto:[hidden email]

株式会社クオリティア
http://www.qualitia.co.jp/


Reply | Threaded
Open this post in threaded view
|

Re: Mailsploit problem in responce of ENVELOPE

Aki Tuomi-2
This is a good chance to remind people that you can report SECURITY
issues using these methods:

 - https://hackerone.com/dovecot/ (preferred channel)
 - emailing to [hidden email] (or Timo or me directly)

This way we can handle the security issues correctly and safely, and as
a bonus, if you find an actual security issue, we can award you with a
bounty! =)

Aki

On 11.12.2017 05:47, TACHIBANA Masashi wrote:

> Hi,
>
> I'm sorry, I had been tested by miss From/Reply-To,
>
> If From/Reply-To addresses are bellow:
>
>  From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
>  Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
>
> ENVELOPE will come bellow:
>
> A01 UID FETCH 25 (ENVELOPE)
> * 5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
> A01 OK Fetch completed (0.000 secs).
>
> It seems correct response.
>
> Thank you.
>
> ----- Original Message -----
>> Hi,
>>
>> Additionally, I just tried bellow:
>>
>>  From: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]
>>  Reply-To: [hidden email]<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\[hidden email]
>>
>>
>> Thanks
>>
>>
>> ----- Original Message -----
>>> Hi,
>>>
>>> Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE.
>>> For example:
>>>
>>> A01 UID FETCH 24 (ENVELOPE)
>>> * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<[hidden email]>" "<[hidden email]>"))
>>> A01 OK Fetch completed (0.000 secs).
>>>
>>>> The metasploit generated emails contain a fake Reply-To header.  Are you
>>>> sure that the above isn't the Reply-To header?
>>> I did test also Reply-To header, then had same response as above.
>>>
>>>
>>> ----- Original Message -----
>>>> On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
>>>>> Hi,
>>>>>
>>>>> I tried to see a mail that have a strange From header in bellow URL:
>>>>>
>>>>> https://www.mailsploit.com/index
>>>>>
>>>>> Then, I got BODYSTRUCTURE response contain next:
>>>>>
>>>>> ((NIL NIL "service" "paypal.com"))
>>>>>
>>>>> Are this problem already founded by anyone?
>>>>> So already fixed?
>>>> The metasploit generated emails contain a fake Reply-To header.  Are you
>>>> sure that the above isn't the Reply-To header?
>>>>
>>>> The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes
>>>> ENVELOPE).  From the IMAP RFC:
>>>>
>>>> The fields of the envelope structure are in the following order:
>>>> date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
>>>> message-id.
>>>>
>>>> Can you paste the whole IMAP command response?
>>>>
>>>> Thanks,
>>>>
>>>> Jeff.
>>>>
>>> --
>>> TACHIBANA Masashi  QUALITIA CO., LTD.
>>> mailto:[hidden email]
>>>
>>>
>>>
>> --
>> TACHIBANA Masashi  QUALITIA CO., LTD.
>> mailto:[hidden email]
>>
>> 株式会社クオリティア
>> http://www.qualitia.co.jp/
>>
>>
>>
> --
> TACHIBANA Masashi  QUALITIA CO., LTD.
> mailto:[hidden email]
>
> 株式会社クオリティア
> http://www.qualitia.co.jp/
>
>