8

Sammy the sender is sending email to Rita the recipient. I know Sammy will apply a DKIM signature to the email and Rita is going to check the DKIM signature with a DKIM validator. I am a malicious man-in-the-middle. I want to modify the email so that the header values that are displayed in Rita's mail client differ from what was DKIM signed, but I still want the email Rita receives to appear to be DKIM-verified when passed through a DKIM validator. Can this be done? How much can an attacker modify?

So far I have learned of three techniques to do this:

  1. Add new header. Add a header that wasn't present in the original email and isn't included in the DKIM signature. That header will likely still be displayed by Rita's email client even though it's not included in the DKIM signature.

  2. Multiple copies of header. Add multiple versions of the same header, with a different value. DKIM will only check the last one; if the email client displays the first one, then a successful attack becomes possible. To be more specific, place a malicious header -- say, a From: header with a malicious value -- before the DKIM header. If I understand correctly, the DKIM signature only covers headers after the DKIM header, so the signature will appear to be valid despite the fact that the malicious header value wasn't signed. Credit: Thanks to Robert Graham for pointing out this trick.

  3. Add content after signed section. RFC 6376 points out a more obscure attack, if the DKIM header in the original email uses a l= tag (most ordinary emails usually don't) and uses it incautiously. Probably not relevant in most situations.

Each one of these has limitations on what the attacker can achieve. Are there any other attacks I've overlooked?

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • A small note about multiple copies of a header: It is possible to sign multiple instances of a header in DKIM (See [section 5.4.2 of RFC6376](https://tools.ietf.org/html/rfc6376#section-5.4.2)). If the signer signs one more header filed than actually exist in the e-mail, it is no longer possible to add a non empty header of the same type. – user228011 Jan 10 '17 at 19:49

1 Answers1

10

First, nice question. I've checked how Thunderbird behaves by modifying an existing mail and it actually takes the first headers for display of From, To and Subject while the DKIM signature mechanism starts from the end :( . Thus the DKIM signature is considered valid even though From, To and Subject are spoofed. Interestingly the first From line is only used in the mail view while in the list view of all mails it shows the last From line.
As for other attacks or how the attacks you've described can be used in in a way you might not have realized:

There are some mail headers which have interesting side effects and often these headers are not fully protected (i.e. protected against change or against adding a new header). Notably Content-Type and Content-Transfer-Encoding have special meaning on how the content gets interpreted. Manipulating these headers can have interesting effects. For example having a Content-Type multipart with a non-existing boundary causes Thunderbird to no longer show the original text of the mail but instead a blank content. When combined with spoofing the Subject ("download update from hxxp://...") and/or the Reply-To this unexpected blank content can be used for a social attack. Example:

 Subject: Blank mail? Download hotfix for your mail client at http://....
 Content-type: multipart/mixed; boundary=boundary_does_not_exist
 Subject: original subject
 Content-type: original/type

Similar changing Content-Transfer-Encoding to base64 for non-multipart content can cause it to display only gibberish which can be similar used in a social attack. Example:

 Subject: Mail corrupt? Download hotfix for your mail client at http://....
 Content-Transfer-Encoding: base64
 Subject: original subject
 Content-type: text/plain

If the DKIM signature uses l= to limit how many lines are used in the body hash one can also "replace" the content of mail by changing (or adding) the Content-type to some multipart type with a special boundary. The boundary is then designed to skip over the existing content included in the hash which will be treated as the preamble for the new MIME parts (and thus will not be shown). Example:

 Content-type: multipart/mixed; boundary=my_own_boundary
 DKIM-Signature: ... bh=...; l=...
 Content-type: original/type

 here is the original content, no matter if single part or multipart
 this is the last line included in the body hash

 --my_own_boundary
 Content-type: text/plain

 Only this text is shown at the recipient
 --my_own_boundary--

... uses a l= tag (most ordinary emails usually don't)

Actually I was surprised how many DKIM signatures with l= I've found in my mailbox. Notably mails from cisco.com use(d?) this feature and I've used one to successfully replace the content in the way I described while keeping the signature valid.

Apart from modifying an existing mail from Sammy the attacker might also be able to create a new mail to Rita which looks like it came from Sammy. This can be done by creating a mail with a valid DKIM signature and then add a faked From header on top. If Rita just checks if the DKIM signature is valid she will not see any problems. If she additionally checks if the signature domain matches the senders domain the result depends on which From header is used for this validation. But if Sammy uses one of the public mail providers the attacker could simply get also a mail account there and then it would not matter which From is considered when checking the domain because both are from the same domain.

EDIT: The question here resulted in some larger research in 2017 where I've showed how mails can be modified without breaking the DKIM signature in real-life. See Breaking DKIM - on Purpose and by Chance.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424