Mailsploit problem in responce of BODYSTRUCTURE
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
On 08.12.2017 11:47, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
Can you maybe expand a bit why you consider this a problem?
Aki
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order:
date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and
message-id.Can you paste the whole IMAP command response?
Thanks,
Jeff.
Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:
A01 UID FETCH 24 (ENVELOPE)
- 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.
Can you paste the whole IMAP command response?
Thanks,
Jeff.
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
Hi,
Additionally, I just tried bellow:
From: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com
Thanks
----- Original Message -----
Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:
A01 UID FETCH 24 (ENVELOPE)
- 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.
Can you paste the whole IMAP command response?
Thanks,
Jeff.
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
株式会社クオリティア http://www.qualitia.co.jp/
Hi,
I'm sorry, I had been tested by miss From/Reply-To,
If From/Reply-To addresses are bellow:
From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
ENVELOPE will come bellow:
A01 UID FETCH 25 (ENVELOPE)
- 5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
It seems correct response.
Thank you.
----- Original Message -----
Hi,
Additionally, I just tried bellow:
From: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com
Thanks
----- Original Message -----
Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:
A01 UID FETCH 24 (ENVELOPE)
- 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
I did test also Reply-To header, then had same response as above.
----- Original Message -----
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed?
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.
Can you paste the whole IMAP command response?
Thanks,
Jeff.
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
株式会社クオリティア http://www.qualitia.co.jp/
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
株式会社クオリティア http://www.qualitia.co.jp/
This is a good chance to remind people that you can report SECURITY issues using these methods:
- https://hackerone.com/dovecot/ (preferred channel) - emailing to info@dovecot.fi (or Timo or me directly)
This way we can handle the security issues correctly and safely, and as a bonus, if you find an actual security issue, we can award you with a bounty! =)
Aki
On 11.12.2017 05:47, TACHIBANA Masashi wrote:
Hi,
I'm sorry, I had been tested by miss From/Reply-To,
If From/Reply-To addresses are bellow:
From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com Reply-To: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com
ENVELOPE will come bellow:
A01 UID FETCH 25 (ENVELOPE)
- 5 FETCH (UID 25 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test3" ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "=?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=" "mailsploit.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
It seems correct response.
Thank you.
----- Original Message -----
Hi,
Additionally, I just tried bellow:
From: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com Reply-To: service@paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0@mailsploit.com
Thanks
----- Original Message -----
Hi,
Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example:
A01 UID FETCH 24 (ENVELOPE)
- 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1" NIL "user1" "example.com")) (("dev1" NIL "dev1" "example.com")) NIL "<20171206084846.0000478C.0596@example.com>" "<20171208004435.00006B4F.0014@example.com>")) A01 OK Fetch completed (0.000 secs).
The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header? I did test also Reply-To header, then had same response as above.
----- Original Message -----
On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote:
Hi,
I tried to see a mail that have a strange From header in bellow URL:
https://www.mailsploit.com/index
Then, I got BODYSTRUCTURE response contain next:
((NIL NIL "service" "paypal.com"))
Are this problem already founded by anyone? So already fixed? The metasploit generated emails contain a fake Reply-To header. Are you sure that the above isn't the Reply-To header?
The "FETCH 123 ENVELOPE" command will return both (and FETCH ALL includes ENVELOPE). From the IMAP RFC:
The fields of the envelope structure are in the following order: date, subject, from, sender, reply-to, to, cc, bcc, in-reply-to, and message-id.
Can you paste the whole IMAP command response?
Thanks,
Jeff.
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
株式会社クオリティア http://www.qualitia.co.jp/
-- TACHIBANA Masashi QUALITIA CO., LTD. mailto:tachibana@qualitia.co.jp
株式会社クオリティア http://www.qualitia.co.jp/
participants (3)
-
Aki Tuomi
-
Josef 'Jeff' Sipek
-
TACHIBANA Masashi