[Users] [Bug 4159] New: Decryption Oracle based on replying to PGP or S/MIME encrypted emails

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Feb 22 14:25:25 CET 2019


            Bug ID: 4159
           Summary: Decryption Oracle based on replying to PGP or S/MIME
                    encrypted emails
    Classification: Unclassified
           Product: Claws Mail
           Version: 3.14.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Plugins/Privacy/PGP
          Assignee: users at lists.claws-mail.org
          Reporter: jens.a.mueller+claws at rub.de

In the scope of academic research in cooperation with Ruhr-Uni Bochum and FH
Münster, Germany we discovered a security issue in Claws: An attacker who is in
possession of PGP encrypted messages can append them to her own text. If the
victim replies, the plaintext is leaked to an attacker's email address.

*Leaking plaintext through replies*

/Attacker model/: Attacker is in possession of PGP encrypted messages, which
she may have obtained as passive man-in-the-middle or by actively hacking into
the victim's mail server or gateway

/Attacker's goal/: Leak the plaintext by wrapping the ciphertext within a
benign-looking email sent to and decrypted+replied to by the victim

/Attack outline:/ If Claws receives a text/plain email as depicted below, it
decrypt the ciphertext part(s), and shows it together with the
attacker-controlled text (which may be prepended and/or appended).

[Attacker's text]
[Unknown ciphertext]
[Some more attacker's text]

A benign-looking attacker's text may lure the victim into replying. Because the
decrypted text is also quoted in the reply, the user unintentionally acts as a
decryption oracle. To obfuscate the existence of the encrypted text, the
attacker may add a lot of newlines or hide it within a long conversation
history. A user replying to such a ‘mixed content’ conversation thereby leaks
the plaintext of encrypted messages wrapped within attacker-controlled text.
This attack works for PGP/INLINE and PGP/MIME captured ciphertexts because
PGP/INLINE can be downgraded to PGP/MIME.

Another option to perform the attack is by using multipart emails with PGP or
S/MIME encrypted parts, as depicted below:

   |--- Attacker's part
   |--- [encrypted part]
   +--- Attacker's part

Again, Claws decrypts the ciphertext part(s), together with the
attacker-controlled text. However, the only the first part is included in the
reply (unless the user marks then whole message text). This attack works for
PGP/MIME and S/MIME captured ciphertext.


Do not decrypt encrypted emails unless there is only one single encrypted

You are receiving this mail because:
You are the assignee for the bug.

More information about the Users mailing list