05/12/2008 - UPDATE on the Gmail Flaw
Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to
use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided
despite our clear intent of cooperation regarding this matter.
We have plans to submit a paper about our work on the trust hierarchy of email providers to the SBSEG'2008 over this
weekend.
Since the paper will necessarily include full details about the flaw, we see no point on withholding the full disclosure of our self-censored report.
We are still waiting to hear from Google and we sincerely hope that this flaw can be fixed before the full details about the problem are released.
Exploiting
the Trust
Hierarchy among Email Servers
Pablo Ximenes, Andre dos Santos
INSERT - Information Security Research Team
University of Puerto Rico at Mayaguez (UPRM), USA; State University of
Ceara (UECE), Brazil
pablo.ximenes@upr.edu, andre@dossantos.org
Introduction
Spam messages have
surged to outrageous levels currently representing 95% of all email
communications throughout the Internet. Because of that, it is simply
not feasible to apply the full power of spam filtering to every single
message that is received by email servers. This problem is tackled by
the use of blacklists of IP addresses of spam offenders and whitelists
of known good sources. This way, messages from blacklisted
IP's are reject before even entering the system, and whitelisted
addresses are granted 'Carte blanche' to bypass most of the filters.
Although the burden on spam filtering systems is certainly lowered by
this model, the
dynamic it brings generates an ad-hoc trust hierarchy among email
providers that might be based on nothing more
than mere convenience. This represents a growing
risk to email users and providers that needs to be
addressed. As part of our ongoing study
on the trust hierarchy that exists within the Internet's email system, we
came across with a serious security flaw that is directly related
to the problem we are currently investigating. In this sense, we
have found a strong example of our argument
by uncovering a
flaw in Google's free email service, Gmail. In this regard, this
document
presents a vulnerability report and a proof of concept attack that
demonstrate how anyone with no special internet access privileges other
than
being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80)
servers is able to abuse a single Gmail Account in order to be
granted nearly
unrestricted access to Google’s massive white-listed SMTP relay
infrastructure. This vulnerability enables an attacker to
bypass blacklist/whitelist based email filters and freely forge all
fields in an
email message by having Google’s SMTP servers tricked into behaving like open SMTP relays. We were able to confirm that this vulnerability is
indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to
more than 4,000 email targets (which surpasses Gmail’s 500
messages limit for bulk messages). Although we have limited the number
of messages in our example to 4,000+, no counter measures took place
that would have
prevented us from sending more messages, and for that matter sending an
unlimited number of messages. Additionally, we were able
to use this vulnerability to forward messages that
originally were classified as spam directly to a victim's
inbox
effectively bypassing filters. The attack specifically
exploits Gmail’s
email forwarding functionality. This is possible because no restriction
or
verification is imposed during the setup process of this option. We
were able to write a program
that automatically exploits this flaw in a compromised Gmail account to
send bulk and forged
messages to an unlimited number of email addresses while preserving
all of the message’s original fields (legitimate or forged) unaltered,
including sender's
identity data (From: field). Since attack
messages are carried by Google's own SMTP servers, the
blacklist/whitelist
based trust hierarchy that exists between Google’s and other Third
Parties’ email servers is compromised, effectively converting
Gmail’s servers into the perfect spam/phishing aid. With this
flaw, spammers need only to compromise one Gmail account in
order
to obtain results similar to those of a botnet based spam. To
our best
knowledge this is the first public description of
this vulnerability and also the first proof of concept attack. Google
has already been notified about this issue and we are waiting to hear from them
before releasing further details.
Vulnerability
The vulnerability we are presenting is related to the risk of abusing
the email forwarding option in Gmail accounts.
Gmail's
normal approach to messages sent though its SMTP service is to
rewrite some of the Message Body headers to prevent identity
fraud. By exploiting the flaw we present, an attacker can easily bypass this
restriction. This happens because attack messages are
disguised as legitimately
destined to a compromised account. This way, Gmail will deliver the
message to
the attack target without modifying any of the Message Body Headers, and more
importantly, it will even preserve forged sender identity information
intact.
Since the attack message can be performed at the attacker's will and
can be forwarded by Google's servers any number of times, this
vulnerability is a major spam and phishing threat concern.
Proof of
Concept
To seek proof that
the vulnerability we report is indeed exploitable, we have designed a
set experiments that finally led us to develop a program that is
capable of sending unlimited bulk and forged messages though Gmail's
SMTP server infrastructure.
We were able to use our
program to send bulk messages to more than 4,000 email targets in
approximately 6 hours by using a broadband
Internet connection.
No measures
took place that would have prevented us from keeping sending more
messages. The average sent message ratio was 11 messages per minute.
Even though this average seems a bit low,
it is important to notice that our demonstration exploited only one
Gmail account, which degrades the performance aspect of the attack if
it is to be compared to a botnet based spam. By exploiting a larger
number of accounts the attack
could improve its message rate significantly. For instance, by
deploying this attack with 100 Gmail accounts simultaneously, the
message rate would exceed 1,000 messages per minute.
Therefore, it
is
possible to assemble an attack that would have results similar to those
of a botnet based spam by compromising a relatively
small number of Gmail accounts, but without the need for
thousands of zombie
computers. Nevertheless, an attacker could also reach
levels similar to those of a small botnet by exploiting only one Gmail
account
given enough time.
The third part of our experiment was designed to asses the trust
relationship between Gmail and other third parties' email providers.
This way, we have opened test accounts in two of the other major free
email providers: Yahoo and Hotmail. The experiment consisted of sending
spam/forged messages from blacklisted IP addresses (our
computers)
directly
to Hotmail's and Yahoo's MX servers and of sending the same messages
using our PoC program
(i.e. though Gmail's servers). We were able to confirm that indeed
messages sent through Gmail's infrastructure had special treatment by
Hotmail and Yahoo. Some messages would not even reach the spam box when
sent directly, while when relayed through Google's
servers by using our program the messages were promptly delivered
directly to the victim's inbox.
Impact
By having Gmail's servers relay messages in behalf of an attacker, this
flaw compromises the very trust hierarchy that exists among email
providers. This
way, all email providers that offer Google's SMTP servers any special
level of
trust (e.g. whitelist status) are vulnerable.
