Breaking MIME concatenation

Andrew Gallagher andrewg at andrewg.com
Tue May 15 16:59:32 CEST 2018 

It struck me at lunch that it might be possible for gnupg itself to
scupper the MIME concatenation (direct exfiltration) technique mentioned
in efail, and thereby plug the leaks in multiple vulnerable clients at
once. This would however require it to be naughty with its output.

MIME concatenation works because in many clients the individual MIME
parts of a message are not kept isolated from each other after they are
passed to the rendering engine. Instead, they are concatenated together
into a single document, perhaps with some separator such as an hline.
This is dangerous because an HTML parser will interpret that document as
a single unit, breaking all sorts of same-origin hygiene.

The primary technique for exfiltration is to wrap the target document in
an active HTML tag such as <img href="....">. But HTML requires the
quoted string to be safe, and there is no way for the efail attack to
perform input sanitation on the target document before the HTML parser
gets its hands on it.

Bear with me, because this is *not* a fully thought-out plan, merely an
idea. ;-)

So gnupg could (under circumstances likely to prevail inside a mail
client) prefix and/or suffix its output with an HTML content-injection
string specially designed to break out of whatever active element the
efail attack might be using. It could be as simple as prefacing the
output document with the perfectly valid HTML tag:

<!-- "></html>" -->

If this were parsed by an HTML display engine in the normal manner, it
would have negligible effect. But enclosed in a tag property, the first
set of quotes+angle would exit the tag safely, and then the </html>
would cause an early end to the document, with luck causing a fatal
validation error, or preventing any content that came after it from
being accessible via the DOM.

I see a couple of problems with this. Firstly, it may not be possible to
tailor a single content-injection tool that would be effective against
all attacks and in all HTML engines, although

And secondly, gnupg will probably not be able to tell on its own whether
it has been called from an MUA context. But setting an environment
variable such as GNUPG_HTML_COUNTERMEASURES=true would certainly be
sufficient, providing both users and MUA developers a convenient big red
switch that can just be enabled.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180515/b3438a2d/attachment-0001.sig>

More information about the Gnupg-users mailing list