FEATURED FEATURED

Security issues Yandex.Mail (and also SDA and Connect) / SurprizingFacts

 image
Hi, GT! I read the post MikhailNsk, and my brain moved me to 2016, where I accidentally stumbled upon a problem with the substitution of Yandex.Mail addresses. The very threat lies in the fact that the letters, in terms of DMARC and SPF are completely valid. Not only Mail users, but also organizations that use Yandex.PDD and Yandex.Connect (for example, this is the well-known and everywhere advertised "Mayl" GeekBrains), are subject to this, and this is much more serious. The vulnerability at the moment works, the letter passes all the checks and is delivered anywhere (including GMAIL). The implementation and reaction of Yandex under the cut.
Attention!

The implementation of the vulnerability

The very essence is very simple, Yandex allows you to authorize under the same address, and send from any other where DMARC and SPF rules of Yandex are spelled out , And the letter is signed by the valid DKIM signature yandex.ru.

For implementation, we need a mailbox on Yandex and a third-party mail client (my choice fell on the open and functional Thunderbird).
We attach the mailbox from Yandex to the latter, open the window for sending the letter

we change the sender's address to the one we need (in our case, i@yandex.ru)

and send the letter to somewhere

The message came to Google Mail (as well as to any other) normally. Google shows the card that all the buzz

The source of the letter

Delivered-To: @ gmail.com
Received: by 10.31.164.6 with SMTP id n6csp2248696vke;
 Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
X-Received: by 10.46.33.9 with SMTP id h9mr3821349ljh.52.1502381833140;
 Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
ARC-Seal: i = 1; A = rsa-sha256; T = 1502381833; Cv = none;
 D = google.com; S = arc-20160816;
 B = CM0dF4giYDl9jToC / 17FjHIeiQNsfFaDUxcYErv / RAHKrX + 8PIdx0QabF / kUMVelug
 ESNfNVYYv09sIrZsYSgqnmKlVdPbQYkmr0mSE + oZ2cjIhebKQcfQjKARk + 6LLFOrtNSb
 M1O014IAXh + y + ykx2EEyhyWir1y + SWItjS2ukNN19t9GwY91hjFtd + 0T2OQDvC44qjpW
 ZtHKTCTNne0 + NhMRYg2iSL0uQZkkpeUNNKgkRavCJRKgnjtMOuLqtx0uNLfZex34XcBl
 VtZTfThoUeuzBPmHVVnnE + W8lcLoqTG2 / jr4C4E4VNDHrjUCsDecNNfGYf5 / BajX45n0
 BdsQ ==
ARC-Message-Signature: i = 1; A = rsa-sha256; C = relaxed / relaxed; D = google.com; S = arc-20160816;
 H = content-language: content-transfer-encoding: mime-version: user-agent
 : Date: message-id: subject: from: to: dkim-signature: dkim-signature
 : Arc-authentication-results;
 Bh = AOjHaT + yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y =;
 B = Edjq07PU + c0nie1ia60SrVoI219rb8q / OnUJMtf0tJrFPktG29Pqs4fx7E3DsNvH6l
 PPdsJVsvHDl3nIWqVSASAXaTPELSAXYETQ / zuluD + wrR2n7MXNt8QQ8cUqt7Zae8Wkq2
 Yr3cW + 9Ty3VZEi2TzqRzOU3UNNhds + UHa8o6 / LK3N7NN91INYevsNnrfMBSUvqm6HmMi
 AJ7dHkkwqqKX7XNkIvKNVjyq8FhnVfMiow8N / PCsVqtTly + q825p5kOl3hxqbLMsi3ix
 AL3MGC84U / m8 + dvivNege5yDby / Dfp6uY6jHJL / hOVmmUwT1 / y2F + 5SD / ifuS4EX2gI7
 GeLg ==
ARC-Authentication-Results: i = 1; Mx.google.com;
 Dkim = pass header.i=@yandex.ru header.s = mail header.b = T2n / cJmZ;
 Dkim = pass header.i=@yandex.ru header.s = mail header.b = T2n / cJmZ;
 Spf = pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
 Dmarc = pass (p = NONE sp = NONE dis = NONE) header.from = yandex.ru
Return-Path: <42@yandex.ru>
Received: from forward101o.mail.yandex.net (forward101o.mail.yandex.net. [37.140.190.181])
 By mx.google.com with ESMTPS id 128si582786lfz.671.2017.08.10.09.17.12
 For <@gmail.com>
 (Version = TLS1_2 cipher = ECDHE-RSA-AES128-GCM-SHA256 bits = 128/128);
 Thu, 10 Aug 2017 09:17:13 -0700 (PDT)
Received-SPF: pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) client-ip = 37.140.190.181;
Authentication-Results: mx.google.com;
 Dkim = pass header.i=@yandex.ru header.s = mail header.b = T2n / cJmZ;
 Dkim = pass header.i=@yandex.ru header.s = mail header.b = T2n / cJmZ;
 Spf = pass (google.com: domain of 42@yandex.ru designates 37.140.190.181 as permitted sender) smtp.mailfrom=42@yandex.ru;
 Dmarc = pass (p = NONE sp = NONE dis = NONE) header.from = yandex.ru
Received: from mxback1o.mail.yandex.net (mxback1o.mail.yandex.net [IPv6:2a02:6b8:0:1a2d::1b])
 By forward101o.mail.yandex.net (Yandex) with ESMTP id 919D813416EA
 For <@gmail.com>; Thu, 10 Aug 2017 19:17:12 +0300 (MSK)
Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25])
 By mxback1o.mail.yandex.net (nwsmtp / Yandex) with ESMTP id 3IjaA941Wl-HCe4hwWw;
 Thu, 10 Aug 2017 19:17:12 +0300
DKIM-Signature: v = 1; A = rsa-sha256; C = relaxed / relaxed; D = yandex.ru; S = mail; T = 1502381832;
 Bh = AOjHaT + yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y =;
 H = To: From: Subject: Message-ID: Date;
 B = T2n / cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
 KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
 A2DYgoRtpFzN64wX4EnSEmya / D24mP43VOi2TlAc =
Received: by smtp1o.mail.yandex.net (nwsmtp / Yandex) with ESMTPSA id i5ALruo2pE-HC4WKA0l;
 Thu, 10 Aug 2017 19:17:12 +0300
 (Using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client certificate not present)
DKIM-Signature: v = 1; A = rsa-sha256; C = relaxed / relaxed; D = yandex.ru; S = mail; T = 1502381832;
 Bh = AOjHaT + yDXpmJsW3LSDugt7u95YQzsSxsGi10r66W3Y =;
 H = To: From: Subject: Message-ID: Date;
 B = T2n / cJmZ2jEcX5rX5exetDc2VfT1lhVgPkMXfbIFAmw8PE6iLFkdddO7f67IRKfrb
 KNV7U5whs9PUhGRd0S2x5OULF8VC3QXMSEvXJiM5gSxZdbNNNq2GRDpTkxbJiDASDT
 A2DYgoRtpFzN64wX4EnSEmya / D24mP43VOi2TlAc =
Authentication-Results: smtp1o.mail.yandex.net; Dkim = pass header.i=@yandex.ru
To: @ gmail.com
From: Habratest
Subject: Test fot Habr
Message-ID: <48942373-b6c4-d019-a15f-6aeaeeda39df@yandex.ru>
Date: Thu, 10 Aug 2017 21:17:10 +0500
User-Agent: Mozilla / 5.0 (Windows NT 10.0; WOW64; rv: 52.0) Gecko / 20100101
 Thunderbird / 52.2.1
MIME-Version: 1.0
Content-Type: text / plain; Charset = utf-8; Format = flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US

Hbrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabrahabra


The address of the recipient was changed to @ gmail.com the real address is on 42@yandex.ru

Yandex Moral and Response

This vulnerability creates huge opportunities for social engineering. In this way, you can use addresses, for example, GeekBrains, which uses traffic rules for mail (or Connect).
DKIM checks pass, but the domain is specified by Yandex (even using a different mail domain).
Naturally, I immediately wrote about it in Baghunter Yandex last summer and
Received the reply:

They were sent to me by the vulnerability on June 27, 2016.
Those. Yandex for a year could not fix a serious enough (in my opinion) vulnerability, which can affect the safety of Yandex's partners who use their mailer.

By the way, mail.ru and gmail are not affected.
GeekBrains, sorry, but I know only you, among those who use the services of Yandex, because you burned an avatar.

About the author

admin

Add Comment

Click here to post a comment

Your email address will not be published. Required fields are marked *