E-mail address spoofing with RLO

May 24, 2011

Introduction

When we reply to an e-mail, the address we see in the To-field serves a purpose beyond getting our answer back to original sender. We attach a meaning to these addresses. If we see john.smith@example.com, we expect that we're really sending a mail to someone at the Example company.
We may have learned not to trust the "From" address: that's about as unreliable as the return address on the back of an envelope. But we should be careful with what we think we see in To-field too.

Problem

The problem comes from the unicode "right-to-left override" (RLO, U+202E) character. It's an invisible character, that forces the text after it to be treated as right-to-left. For example abc[RLO]def is displayed as abcfed. It's well known that these kind of characters have security implications, it has led to other problems before, and this is a new one in that category:
It can be abused to display an E-mail address backwards, so that it appear to be on a different domain than it actually is.

Details

An RLO is usually not accepted in an address, but it is accepted in the display name. The display name and the address are often shown together, allowing the RLO in the display name to affect how the address is shown. For example, "Firstname Lastname [RLO] <moc.mitciv@attacker.com>" is displayed as "Firstname Lastname <moc.rekcatta@victim.com> ".

This can not be used to spoof arbitrary addresses because the attacker's reversed real domain is still in it. But it can be used to spoof any domain. And a well chosen domain name reversed can look like a convincing foreign real name in the first part of the address.
This problem is worse than spoofing of the From-addresses, because an attacker can have a whole conversation without an indication to the victim that he's not who (from the domain) he pretends to be.

Affected software

This affects most e-mail clients. These are the ones I tested, and whose vendors have been made aware of this in 2009.

  • Gmail: still vulnerable fixed in June 2011 as part of new anti-phishing measures
  • Hotmail: Fixed in February 2010
  • Outlook 2007 (and later?): no fix announced, presumably still vulnerable
  • Outlook Web Access: no fix announced, presumably still vulnerable
  • Evolution: still vulnerable (Bug 601172)
  • KMail: Fixed since December 2009, KDE 4.2.x (never released), 4.3.5 and 4.4.0
  • And more...

Update: Exploit

On popular demand, here's some help to reproduce this.
If you like editing raw mail messages, here's an example From-header with an encoded RLO in it:

From: =?UTF-8?B?TW9jIExpYW1nIOKAriA=?= <moc.elpmaxe@gmail.com>

And here is the RLO character itself, as abc[RLO]def. You should be able to copy-paste that in the settings of your email client (at the end of your real name). Selecting this text may act unusual; that's normal and correct behaviour:

abc‮def


2 comments

Gina wrote on 2011-06-11 12:12

Could the RLO spoof be used in other ways - for instance to obsfucate the true name of a file attched to an email? The implications of this may be greater than just spoofing an email address.

I want to test this out - what email service should I use to practice this RLO action and do I need programming skills to do it?

Thanks

Wouter wrote on 2011-06-17 00:56

Using it to obfuscate a file name is exactly what the vulnerability I linked under the word “problem” is about. Abusing RLO for such things isn’t really new.

The new thing about this variant is that the RLO is not in the thing that’s spoofed (e.g. having an RLO in an email address is not allowed), but in something that shown next to it.

You don’t need any special email service or anything to test it, it should work in most email clients or online services. The only skills you need are reading what I wrote and copy-pasting the character :)

[…] Die Überschrift ist natürlich de Facto falsch: Die Zeichen, die in einer E-Mail-Adresse vorkommen dürfen, sind genau festgelegt, und der aktuelle Standard RFC 5322 sieht kein RLO-Steuerzeichen darin vor. Aber es gibt ja noch den “Display Name”, der i.A. den Realnamen des Empfängers enthält. Und darin kann ein RLO-Zeichen durchaus vorkommen. […]