lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 30 Jan 2016 12:13:46 +0100
From: t.schughart@...sec-networks.com
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Cc: s.mauer@...sec-networks.com
Subject: [FD] VMWare Zimbra Mailer | DKIM longterm Mail Replay vulnerability

Hi@all,

VMWare Zimbra Mailer Release 8.6.0.GA, latest patch and prior versions 
with DKIM implementation are vulnerable to longterm Mail Replay attacks.

If the expiration header is not set, the signature never expires. This 
means, that the e-mail, perhaps catched while performing a man in the 
middle attack, can be replayed years after catching it.

This can be combined with the spoofed reply-to header field, because the 
header field is not hashed by Zimbras DKIM implementation.

Supporter of vulnerability analysis: Steffen Mauer @this point I want to 
thank Steffen for his good work =)

Background:
To configure DKIM with VMware Zimbra the official documentation advises 
the administrator to use  the zimbra management tools. With the 
management tools there is no possibility to add custom Header’s for 
hashing it with DKIM or for setting the expiration DKIM Header. 
(https://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing)

________________________________________
PoC Headerpart:
The DKIM Implementation implements the following DKIM Header:
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=0mail.org; 
s=76820800-C732-11E5-858E-A0DD11F66BE4; t=1454147943; 
bh=c/tw0mGbL980zPjwnIKgPM7ubA7wLOVGbMr3y9WADOY=; 
h=From:Content-Type:Content-Transfer-Encoding:Subject:Message-Id: 
Date:To:Mime-Version; 
b=c8dL4dRpnjMeV2OxFbz+1Z2n49PDlUx+XsiodKvmAOh1znOxRW3NDKYk7Bwmlw453 
04uFAwLsBl7M1u7mxr/wdp4fZTEQtfJhhUonNJMKDBOxTdiQPOLhcVKC2tEaSLyKpq 
Rvtp9ECFFqHstyRHk57UOzMi8PMRusl8lP5B43kY=
________________________________________
Report Timeline:

There has been no response from VMware for 14 Days.


Best regards / Mit freundlichen Grüßen

Tim Schughart
IT Security engineer

ProSec Networks
Website: https://www.prosec-networks.com
E-Mail: info@...sec.networks.com
Phone: +49(0) 2621 9469 252

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists