Yandex.Mail security issues (as well as traffic rules and Connect)
Hello GT! I read the MikhailNsk post , and my brain moved me to 2016, where I accidentally stumbled upon a problem with spoofing of Yandex.Mail addresses. The threat itself is that the letters, in terms of DMARC and SPF, are completely valid. This is affected not only by Mail users, but also by organizations that use Yandex.PDD and Yandex.Connect as a mailer with their domain (for example, this is the well-known and everywhere advertised "mail" GeekBrains), and this is already much more serious. The vulnerability is currently working, the letter passes all the checks and is delivered anywhere (including GMAIL). The implementation and reaction of Yandex under the cut.
The essence is very simple, Yandex allows you to log in under one address, and send it from any other address where Yandex rules are specified by DMARC and SPF, and the letter is signed with a valid DKIM signature yandex.ru.
For implementation, we need a mailbox on Yandex and a third-party mail client (my choice fell on open and functional Thunderbird).
To the latter, we fasten our mailbox from Yandex, open the window for sending a letter,
change the sender address to the one we need (in our case, i@yandex.ru),
and send the message somewhere.
At Google Mail (like any other), the message arrived normally. Google shows a card that everything is buzzing:
This vulnerability creates enormous opportunities for social engineering. Thus, you can use addresses, for example, GeekBrains, which uses traffic rules (or Connect) for mail.
DKIM checks pass, but the domain is specified by Yandex (even use a different mail domain).
Naturally, I immediately wrote about it to Yandex bughunter last summer and
received the answer:
The vulnerability was sent to me on June 27, 2016. Those. Yandex for a year could not fix a serious enough (in my opinion) vulnerability that could affect the security of Yandex partners who use their mailer.
UPD:There is a way to mask the sender address. To do this, it is enough to buy a more or less similar domain, fasten traffic rules to it and send letters from it. The address is replaced in the same way, all checks are valid, and the DKIM signature and sender address will be from the new domain.
By the way, mail.ru and gmail are not affected. GeekBrains, I'm sorry, but I only know you, among those who use Yandex services, because you burned as an avatar.
Attention! The vulnerability reproducing algorithm below is provided for educational purposes only!
Vulnerability Implementation
The essence is very simple, Yandex allows you to log in under one address, and send it from any other address where Yandex rules are specified by DMARC and SPF, and the letter is signed with a valid DKIM signature yandex.ru.
For implementation, we need a mailbox on Yandex and a third-party mail client (my choice fell on open and functional Thunderbird).
To the latter, we fasten our mailbox from Yandex, open the window for sending a letter,
change the sender address to the one we need (in our case, i@yandex.ru),
and send the message somewhere.
At Google Mail (like any other), the message arrived normally. Google shows a card that everything is buzzing:
Letter source
The recipient address has been replaced by
Delivered-To: @gmail.com
Received: by 10.31.164.6 with SMTP id n6csp2248696vke;
Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
X-Received: by 10.46.33.9 with SMTP id h9mr3821349ljh.52.1502381833140;
Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1502381833; cv=none;
d=google.com; s=arc-20160816;
b=CM0dF4giYDl9jToC/17FjHIeiQNsfFaDUxcYErv/RAHKrX+8PIdx0QabF/kUMVelug
ESNfNVYYv09sIrZsYSgqnmKlVdPbQYkmr0mSE+oZ2cjIhebKQcfQjKARk+6LLFOrtNSb
M1O014IAXh+y+ykx2EEyhyWir1y+SWItjS2ukNN19t9GwY91hjFtd+0T2OQDvC44qjpW
ztHKTCTNne0+NhMRYg2iSL0uQZkkpeUNNKgkRavCJRKgnjtMOuLqtx0uNLfZex34XcBl
vtZTfThoUeuzBPmHVVnnE+W8lcLoqTG2/jr4C4E4VNDHrjUCsDecNNfGYf5/BajX45n0
BdsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-language:content-transfer-encoding:mime-version:user-agent
:date:message-id:subject:from:to:dkim-signature:dkim-signature
:arc-authentication-results;
bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
b=Edjq07PU+c0nie1ia60SrVoI219rb8q/OnUJMtf0tJrFPktG29Pqs4fx7E3DsNvH6l
PPdsJVsvHDl3nIWqVSASAXaTPELSAXYETQ/zuluD+wrR2n7MXNt8QQ8cUqt7Zae8Wkq2
Yr3cW+9Ty3VZEi2TzqRzOU3UNNhds+UHa8o6/LK3N7NN91INYevsNnrfMBSUvqm6HmMi
AJ7dHkkwqqKX7XNkIvKNVjyq8FhnVfMiow8N/PCsVqtTly+q825p5kOl3hxqbLMsi3ix
AL3MGC84U/m8+dvivNege5yDby/Dfp6uY6jHJL/hOVmmUwT1/y2F+5SD/ifuS4EX2gI7
geLg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
spf=pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <42@yandex.ru>
Received: from forward101o.mail.yandex.net (forward101o.mail.yandex.net. [37.140.190.181])
by mx.google.com with ESMTPS id 128si582786lfz.671.2017.08.10.09.17.12
for <@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) client-ip=37.140.190.181;
Authentication-Results: mx.google.com;
dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
spf=pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: from mxback1o.mail.yandex.net (mxback1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::1b])
by forward101o.mail.yandex.net (Yandex) with ESMTP id 919D813416EA
for <@gmail.com>; Thu, 10 Aug 2017 19:17:12 +0300 (MSK)
Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25])
by mxback1o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 3IjaA941Wl-HCe4hwWw;
Thu, 10 Aug 2017 19:17:12 +0300
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1502381832;
bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
h=To:From:Subject:Message-ID:Date;
b=T2n/cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
A2DYgoRtpFzN64wX4EnSEmya/D24mP43VOi2TlAc=
Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id i5ALruo2pE-HC4WKA0l;
Thu, 10 Aug 2017 19:17:12 +0300
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1502381832;
bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
h=To:From:Subject:Message-ID:Date;
b=T2n/cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
A2DYgoRtpFzN64wX4EnSEmya/D24mP43VOi2TlAc=
Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru
To: @gmail.com
From: Habratest
Subject: Test fot Habr
Message-ID: <48942373-b6c4-d019-a15f-6aeaeeda39df@yandex.ru>
Date: Thu, 10 Aug 2017 21:17:10 +0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Hbrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabra
The recipient address has been replaced by
@gmail.com
, the real address on42@yandex.ru
Yandex moral and response
This vulnerability creates enormous opportunities for social engineering. Thus, you can use addresses, for example, GeekBrains, which uses traffic rules (or Connect) for mail.
DKIM checks pass, but the domain is specified by Yandex (even use a different mail domain).
Naturally, I immediately wrote about it to Yandex bughunter last summer and
received the answer:
The vulnerability was sent to me on June 27, 2016. Those. Yandex for a year could not fix a serious enough (in my opinion) vulnerability that could affect the security of Yandex partners who use their mailer.
UPD:There is a way to mask the sender address. To do this, it is enough to buy a more or less similar domain, fasten traffic rules to it and send letters from it. The address is replaced in the same way, all checks are valid, and the DKIM signature and sender address will be from the new domain.
By the way, mail.ru and gmail are not affected. GeekBrains, I'm sorry, but I only know you, among those who use Yandex services, because you burned as an avatar.