One of the central points of failure is an email address. We use email addresses used to get access to our bank accounts, social networks and much more. For SMB and Enterprise, email addresses are the most often targeted entry point for advanced persistent threat (APT) attacks. But how good are we are at protecting our email accounts? There's always a compromise between security and usability. There were times when you would need to obtain all the information about smtp/pop/imap servers and enter them in order to configure your email account. Now it is as simple as just typing your email and password. But when you rely on technology that simplifies your life, it is always complex and sophisticated inside and there is always a huge risk of failure in implementation. chance of failure to implement it. In our presentation we will disclose severe vulnerabilities of mail clients as well as software services that could lead an attacker to take over access to sensitive user information - sometimes including usernames and passwords. We'll also demonstrate how improper email client implementation can leak user credentials and what software developers, server administrators and users can do to prevent it. Attendees will see a live data feed with popular email client names and who's leaking what. At the final part of our presentation we'll talk about other attacks and what power attackers can potentially get in the case of vulnerable client implementations.

1. ALL YOUR EMAILS BELONG TO US
March 2017
Ilya Nesterov, Max Goncharov
Exploiting vulnerable email clients via domain name collision

2. Ilya Nesterov
I break things
I build things to break things
Security researcher
Shape Security
Who we are
Max Goncharov
Security researcher
Threat OSINT
Vuln. hunter
Shape Security

3. Email? What is wrong with that?

4. Email? What is wrong with that?
AUTODISCOVER

5. 20102008 2009 20172006
Feature
for Office 2007
Autodiscover announced
as a feature for the
upcoming product release
Autodiscover : History

6. 20102009 2017
Introduced
April 2008
Introduced as version 0.1
with preliminary
description of the service.
Autodiscover : History
20082006

7. 20102009 2017
Thunderbird
config-v1.1.xml
Alternative of Autodiscover for
Thunderbird proposed in 2008
and released in 2009.
Autodiscover : History
2006 2008

8. 2017
Lync Server
2010
Part of mobility program
for easier data exchange.
Introduced HTTP and
HTTPS Autodiscover
process.
Autodiscover : History
2006 2008 20102009

9. Here we are
With Autodiscover
We found severe
vulnerabilities in some
autodiscover client
implementations.
Autodiscover : History
2006 2008 2009 2010 2017

10. Autodiscover : Process
1. Define the candidate pool
2. Try each server from a list

11. Defining the candidate pool
1. Query LDAP or AD servers
2. Derive URL from the email address
3. Query DNS for Autodiscover SRV records
4. Send an unauthenticated GET request
5. Prioritize

12. Derive URL from the email
1. https://+ {domain} + /autodiscover/autodiscover.xml
2. https://autodiscover. + {domain} + /autodiscover/autodiscover.xml
tomknopf77@jarzt.com
jarzt.com
1. https://jarzt.com /autodiscover/autodiscover.xml
2. https://autodiscover.jarzt.com/autodiscover/autodiscover.xml

13. What can be wrong?
tomknopf77@jarzt.com
local@domain
Local: tomknopf77
Domain: jarzt.com

14. Email address complexity
tom@knopf77@jarzt.com
RFC 5321 RFC 5322 RFC 6531 RFC 6532
"()<>[]:,;@"!#$%&'-/=?^_`{}| ~.a"@example.org
"tom@knopf77"@jarzt.com

15. Samsung Mail Client
autodiscover.example.com.au
autodiscover.com.au
tomknopf77@example.com.au
Announced as fixed: January 2017
CVE-2016-9940

16. iOS Mail app
autodiscover. + <domain>
autodiscover.com
tomknopf77@example@com
21
Announced as fixed: March 2017. iOS 10.3
CVE-2017-2414

17. We need more data!
8K+
Mozilla public suffix list
1.5K+
IANA TLD list

18. Let’s build a hacking machine!*
* It’s just a simple HTTP sink
Email clients INTERNET
BUILD AND DEPLOY
- 26 autodiscover domains
- HTTP, HTTPS ports
- Certificates: Let’s Encrypt
- Accept all requests
HTTP servers
Data Store,
Analytics

19. Logs! This is … scary!

20. 13MTotal requests received
26Domains in experiment
7Month period
Sep 2016 - March 2017
9MRequests with Basic
Authentication header
2473Different Autodiscover
client user-agents
212KEmail accounts affected from
65K different domains
RESULTS

21. Users:
- use recommended email clients
- install security updates
MITIGATION
Enterprise:
- follow official deployment guides
- use only supported email clients
- test all third party clients
- check your deployment regularly
Developers:
- follow Autodiscover specification
- derive local and domain parts properly
- remember TLD and public suffix list
- test, test, test
ICANN:
- ban autodiscover domain registration

22. EMAIL IS COMPLICATED
It is even more complicated than you think!
READ THE DOCS!
Even if you read it. Read between the lines
NOBODY IS PERFECT
We all make mistakes. Let’s learn from someone else’s experience
Conclusion

23. www.shapesecurity.comDemo!

24. www.shapesecurity.comThank You