Researchers say a new exploitable attack vector for email, one that could enable the changing of email content content post-delivery, could let attackers bypass security controls and trick victims into clicking through to a malicious site.

Details of the exploit called ROPEMAKER, which stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky, were made public Tuesday.

The exploit, discovered by Francisco Ribeiro, a researcher at the UK-based security firm Mimecast takes advantage of email design functionality, namely by remotely changing CSS (Cascading Style Sheets) in HTML-based emails.

When the victim’s email client connects to remote CSS—something usually done to retrieve the style of an email—an attacker can change that content, either by substituting a benign link for a malicious one, or by changing a word or number in the email.

The attack doesn’t involve changing the actual content of the email, but instead what’s displayed to the end user, the researcher says.

Ribeiro says the exploit doesn’t work on browser-based emails such as Gmail, Outlook Web Access, or iCloud, but warns that both the desktop and mobile versions of Microsoft Outlook, the desktop and mobile versions of Apple Mail, and Mozilla’s Thunderbird could fall victim to ROPEMAKER. The Android mail client did a good job at thwarting the exploit, but the researcher couldn’t definitively say that mail clients on all versions of the mobile operating system were a safe alternative.

According to Ribeiro there are two ways an attacker could exploit ROPEMAKER via remote CSS. An attacker could use something the researcher calls a switch exploit to send remote CSS code to swap out a benign URL with a malicious one. Both URLs are sent in the original email, but an attacker could remotely edit CSS from which the email gets its display “style” to display a link of his choosing.

The second type of exploit, something called a matrix exploit, involves an attacker sending a blob of ASCII text alongside the email, “character-by-character in the form of a matrix of text.” The attacker uses remote CSS to control what the victim sees, picking and choosing which text to sub out.

Ribeiro cautions that this attack method is the more difficult one to prevent, mainly because email-filtering services can’t find or inspect whatever the destination site is because there’s no URL to detect – it’s all ASCII text.

“To do so would require the interpretation of CSS files, which is beyond the scope of current email security systems. This is an area where the rendering software—usually email clients—should do more to protect the user,” Mimecast’s advisory (.PDF) reads.

By disguising malicious links in ASCII text, an attacker could elude security controls and likely have a better chance of a victim clicking through.

Ribeiro claims that researchers at his firm, which specializes in cloud-based email management, haven’t seen ROPEMAKER exploited in the wild yet, but says that doesn’t mean that attackers aren’t using elements of the exploit in other, potentially more targeted, attacks.

It also doesn’t mean that attackers can’t borrow bits and pieces from ROPEMAKER to carry out further, splintered attacks.

The researcher suggests that an attacker could theoretically intercept a legitmate remote CSS call, almost like a man-in-the-middle attack. He warns attackers could also experiment with Scalable Vector Graphics (SVGs), text and links, to tweak what’s displayed to users in emails. Attackers could also use <embed> and <iframe> tags or dynamically generated remote fonts to trick users too.

While Mimecast is billing the exploit as new, it can be argued the technique repackages the age old danger of loading remote content.

That’s why whether ROPEMAKER can even technically be defined as a vulnerability is up for public debate. The company disclosed the exploit to email client vendors such as Microsoft and Apple last year, but neither saw it worth addressing. Microsoft told Ribeiro the exploit didn’t “meet the bar for security servicing,” while Apple said users can disable the loading of remote content by unchecking “Load remote content in messages” in their Mail settings.

The MITRE Corporation, which issues CVE numbers for vulnerabilities, elected not to issue one for ROPEMAKER. If it reconsiders, researchers suggest the exploit fall under Inclusion of Functionality from Untrusted Control Sphere, the term for when software “imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.”

Categories: Vulnerabilities, Web Security

Comments (6)

  1. Francisco Ribeiro
    1

    Hi Chris,
    nice post. Just a quick note that there are more than two ways to exploit this including methods whereby CSS is not required such as remote fonts. Will provide more details, soon.

    This is certainly a feature of HTML but a dangerous one when I applied to the email use case that in my opinion, introduces a vulnerability.

    Kind regards,
    Francisco Ribeiro

  2. Jason
    3

    Am I right to think that this attack vector only affects showing and hiding content that must have been included with the original email? If so, it’s not a very dangerous vector, IMO.

    • Aaron
      4

      You can use @media rules to print new content relative to the position of some other existing content.

    • Francisco Ribeiro
      5

      No, these contents do not need to go on the original email at all. Please have a look at the “Matrix” or, even better, the “Content Property” techniques where all content is defined on the remotely linked file that does not persist on the victim’s machine. This can even be exploited in the present of technologies such as PGP and S/MIME. You can read more about this on my paper:
      http://www.digitalloft.org/init/plugin_wiki/page/ropemaker

Comments are closed.