Yandex.Mail security issues (as well as traffic rules and Connect)

    imageHello GT! I read the MikhailNsk post , and my brain moved me to 2016, where I accidentally stumbled upon a problem with spoofing of Yandex.Mail addresses. The threat itself is that the letters, in terms of DMARC and SPF, are completely valid. This is affected not only by Mail users, but also by organizations that use Yandex.PDD and Yandex.Connect as a mailer with their domain (for example, this is the well-known and everywhere advertised "mail" GeekBrains), and this is already much more serious. The vulnerability is currently working, the letter passes all the checks and is delivered anywhere (including GMAIL). The implementation and reaction of Yandex under the cut.

    Attention! The vulnerability reproducing algorithm below is provided for educational purposes only!

    Vulnerability Implementation


    The essence is very simple, Yandex allows you to log in under one address, and send it from any other address where Yandex rules are specified by DMARC and SPF, and the letter is signed with a valid DKIM signature yandex.ru.

    For implementation, we need a mailbox on Yandex and a third-party mail client (my choice fell on open and functional Thunderbird).

    To the latter, we fasten our mailbox from Yandex, open the window for sending a letter,



    change the sender address to the one we need (in our case, i@yandex.ru),



    and send the message somewhere.



    At Google Mail (like any other), the message arrived normally. Google shows a card that everything is buzzing:



    Letter source
    Delivered-To: @gmail.com
    Received: by 10.31.164.6 with SMTP id n6csp2248696vke;
    Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
    X-Received: by 10.46.33.9 with SMTP id h9mr3821349ljh.52.1502381833140;
    Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
    ARC-Seal: i=1; a=rsa-sha256; t=1502381833; cv=none;
    d=google.com; s=arc-20160816;
    b=CM0dF4giYDl9jToC/17FjHIeiQNsfFaDUxcYErv/RAHKrX+8PIdx0QabF/kUMVelug
    ESNfNVYYv09sIrZsYSgqnmKlVdPbQYkmr0mSE+oZ2cjIhebKQcfQjKARk+6LLFOrtNSb
    M1O014IAXh+y+ykx2EEyhyWir1y+SWItjS2ukNN19t9GwY91hjFtd+0T2OQDvC44qjpW
    ztHKTCTNne0+NhMRYg2iSL0uQZkkpeUNNKgkRavCJRKgnjtMOuLqtx0uNLfZex34XcBl
    vtZTfThoUeuzBPmHVVnnE+W8lcLoqTG2/jr4C4E4VNDHrjUCsDecNNfGYf5/BajX45n0
    BdsQ==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
    h=content-language:content-transfer-encoding:mime-version:user-agent
    :date:message-id:subject:from:to:dkim-signature:dkim-signature
    :arc-authentication-results;
    bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
    b=Edjq07PU+c0nie1ia60SrVoI219rb8q/OnUJMtf0tJrFPktG29Pqs4fx7E3DsNvH6l
    PPdsJVsvHDl3nIWqVSASAXaTPELSAXYETQ/zuluD+wrR2n7MXNt8QQ8cUqt7Zae8Wkq2
    Yr3cW+9Ty3VZEi2TzqRzOU3UNNhds+UHa8o6/LK3N7NN91INYevsNnrfMBSUvqm6HmMi
    AJ7dHkkwqqKX7XNkIvKNVjyq8FhnVfMiow8N/PCsVqtTly+q825p5kOl3hxqbLMsi3ix
    AL3MGC84U/m8+dvivNege5yDby/Dfp6uY6jHJL/hOVmmUwT1/y2F+5SD/ifuS4EX2gI7
    geLg==
    ARC-Authentication-Results: i=1; mx.google.com;
    dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
    dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
    spf=pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
    dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
    Return-Path: <42@yandex.ru>
    Received: from forward101o.mail.yandex.net (forward101o.mail.yandex.net. [37.140.190.181])
    by mx.google.com with ESMTPS id 128si582786lfz.671.2017.08.10.09.17.12
    for <@gmail.com>
    (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
    Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
    Received-SPF: pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) client-ip=37.140.190.181;
    Authentication-Results: mx.google.com;
    dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
    dkim=pass header.i=@yandex.ru header.s=mail header.b=T2n/cJmZ;
    spf=pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
    dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
    Received: from mxback1o.mail.yandex.net (mxback1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::1b])
    by forward101o.mail.yandex.net (Yandex) with ESMTP id 919D813416EA
    for <@gmail.com>; Thu, 10 Aug 2017 19:17:12 +0300 (MSK)
    Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25])
    by mxback1o.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 3IjaA941Wl-HCe4hwWw;
    Thu, 10 Aug 2017 19:17:12 +0300
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1502381832;
    bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
    h=To:From:Subject:Message-ID:Date;
    b=T2n/cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
    KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
    A2DYgoRtpFzN64wX4EnSEmya/D24mP43VOi2TlAc=
    Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id i5ALruo2pE-HC4WKA0l;
    Thu, 10 Aug 2017 19:17:12 +0300
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (Client certificate not present)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1502381832;
    bh=AOjHaT+yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y=;
    h=To:From:Subject:Message-ID:Date;
    b=T2n/cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
    KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
    A2DYgoRtpFzN64wX4EnSEmya/D24mP43VOi2TlAc=
    Authentication-Results: smtp1o.mail.yandex.net; dkim=pass header.i=@yandex.ru
    To: @gmail.com
    From: Habratest
    Subject: Test fot Habr
    Message-ID: <48942373-b6c4-d019-a15f-6aeaeeda39df@yandex.ru>
    Date: Thu, 10 Aug 2017 21:17:10 +0500
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
    Thunderbird/52.2.1
    MIME-Version: 1.0
    Content-Type: text/plain; charset=utf-8; format=flowed
    Content-Transfer-Encoding: 7bit
    Content-Language: en-US

    Hbrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabra

    The recipient address has been replaced by @gmail.com, the real address on42@yandex.ru

    Yandex moral and response


    This vulnerability creates enormous opportunities for social engineering. Thus, you can use addresses, for example, GeekBrains, which uses traffic rules (or Connect) for mail.
    DKIM checks pass, but the domain is specified by Yandex (even use a different mail domain).

    Naturally, I immediately wrote about it to Yandex bughunter last summer and
    received the answer:



    The vulnerability was sent to me on June 27, 2016. Those. Yandex for a year could not fix a serious enough (in my opinion) vulnerability that could affect the security of Yandex partners who use their mailer.

    UPD:There is a way to mask the sender address. To do this, it is enough to buy a more or less similar domain, fasten traffic rules to it and send letters from it. The address is replaced in the same way, all checks are valid, and the DKIM signature and sender address will be from the new domain.

    By the way, mail.ru and gmail are not affected. GeekBrains, I'm sorry, but I only know you, among those who use Yandex services, because you burned as an avatar.

    Also popular now: