[neomutt-devel] spear phishing attack on me
Jon Fineman
jon at fineman.me
Wed Apr 9 13:31:20 CEST 2025
When I open this I consistently get a core dump, right after verify signature.
I am using OpenBSD current.
Commit: f695281a6962a2f57d5186c27fc22adec6099139
ryzen(~/src/neomutt)$: ./neomutt -v
NeoMutt 20250404
Copyright (C) 2015-2025 Richard Russon and friends
NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'.
NeoMutt is free software, and you are welcome to redistribute it
under certain conditions; type 'neomutt -vv' for details.
System: OpenBSD 7.7 (amd64)
ncurses: ncurses 6.4.20230826 (compiled with 6.4.20230826)
libiconv: 1.17
libidn2: 2.3.0 (compiled with 2.3.0)
GPGME: 1.24.2
OpenSSL: LibreSSL 4.1.0
libnotmuch: 5.6.0
PCRE2: 10.44 2024-06-07
storage: tdb
Configure options: --autocrypt --with-lock=flock --fmemopen --gpgme --notmuch --ssl --sasl --sqlite --tdb --debug --disable-doc --pcre2
Compilation CFLAGS: -std=c11 -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -D_XOPEN_SOURCE_EXTENDED -I/usr/local/include -DNCURSES_WIDECHAR -O2
Compile options:
+autocrypt -fcntl +flock +fmemopen +futimens +getaddrinfo -gnutls +gpgme
-gsasl -gss +hcache -homespool +idn -inotify -locales_hack -lua +nls +notmuch
+openssl +pcre2 +pgp +sasl +smime +sqlite +truecolor
MAILPATH="/var/mail"
PKGDATADIR="/usr/local/share/neomutt"
SENDMAIL="/usr/sbin/sendmail"
SYSCONFDIR="/usr/local/etc"
egdb bin/x_neomutt x_neomutt.core
GNU gdb (GDB) 15.2
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-unknown-openbsd7.7".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bin/x_neomutt...
[New process 595952]
Core was generated by `x_neomutt'.
Program terminated with signal SIGABRT, Aborted.
#0 thrkill () at /tmp/-:2
warning: 2 /tmp/-: No such file or directory
(gdb) bt
#0 thrkill () at /tmp/-:2
#1 0x66185e33c8dc45ec in ?? ()
#2 0x000003e435de5f1b in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51
#3 0x000003e435da25d7 in memcpy (dst0=<optimized out>, src0=<optimized out>, length=<optimized out>)
at /usr/src/lib/libc/string/memcpy.c:74
#4 0x000003e20cb5c1be in mutt_ch_fgetconv (fc=0x3e4f33fb000) at mutt/charset.c:1013
#5 0x000003e20cad8189 in pgp_gpgme_application_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0)
at ncrypt/crypt_gpgme.c:2714
#6 0x000003e20cad2f02 in crypt_pgp_application_handler (b_email=0x3e42d52d9c0, state=0x728fe9e961f0)
at ncrypt/cryptglue.c:239
#7 0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0,
handler=0x3e20cad2ea0 <crypt_pgp_application_handler>, plaintext=false) at handler.c:1445
#8 0x000003e20c9d7905 in mutt_body_handler (b=0x3e42d52d9c0, state=0x728fe9e961f0) at handler.c:1774
#9 0x000003e20c9da732 in multipart_handler (b_email=0x3e42d50a900, state=0x728fe9e961f0) at handler.c:1291
#10 0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e42d50a900, state=0x728fe9e961f0,
handler=0x3e20c9da420 <multipart_handler>, plaintext=false) at handler.c:1445
#11 0x000003e20c9d7905 in mutt_body_handler (b=0x3e42d50a900, state=0x728fe9e961f0) at handler.c:1774
#12 0x000003e20c9da732 in multipart_handler (b_email=0x3e4de0cc300, state=0x728fe9e961f0) at handler.c:1291
#13 0x000003e20c9dadd8 in run_decode_and_handler (b=0x3e4de0cc300, state=0x728fe9e961f0,
handler=0x3e20c9da420 <multipart_handler>, plaintext=false) at handler.c:1445
#14 0x000003e20c9d7905 in mutt_body_handler (b=0x3e4de0cc300, state=0x728fe9e961f0) at handler.c:1774
#15 0x000003e20c9ce89f in mutt_copy_message_fp (fp_out=0x3e435e186e0 <usual+304>, fp_in=0x3e435e185b0 <usual>,
e=0x3e471659d20, cmflags=76, chflags=262294, wraplen=86) at copy.c:801
#16 0x000003e20c9cf2fa in mutt_copy_message (fp_out=0x3e435e186e0 <usual+304>, e=0x3e471659d20, msg=0x3e42d53a4b0,
cmflags=76, chflags=262294, wraplen=86) at copy.c:924
#17 0x000003e20ca207f7 in email_to_file (msg=0x3e42d53a4b0, tempfile=0x3e4367508c0, m=0x3e42dbc2800,
e=0x3e471659d20, header=0x0, wrap_len=86, cmflags=0x728fe9e9641a) at pager/message.c:254
#18 0x000003e20ca20add in mutt_display_message (win_index=0x3e436712960, shared=0x3e4f341df00)
at pager/message.c:468
#19 0x000003e20ca0b4cf in op_display_message (shared=0x3e4f341df00, priv=0x3e42dbb6b40, op=80)
at index/functions.c:651
#20 0x000003e20ca0a383 in index_function_dispatcher (win=0x3e436712960, op=80) at index/functions.c:3280
#21 0x000003e20ca05758 in dlg_index (dlg=0x3e436718d20, m_init=0x3e42dbd8100) at index/dlg_index.c:1371
#22 0x000003e20c9ff210 in main (argc=1, argv=0x728fe9e96c58, envp=0x728fe9e96c68) at main.c:1756
(gdb)
Alejandro Colomar via neomutt-devel <neomutt-devel at neomutt.org>
writes:
> On Wed, Apr 09, 2025 at 11:47:45AM +0200, Alejandro Colomar wrote:
>> Hi Serge,
>>
>> On Tue, Apr 08, 2025 at 11:14:52PM -0500, Serge E. Hallyn wrote:
>> > On Tue, Apr 08, 2025 at 02:31:37PM +0200, Alejandro Colomar wrote:
>> > > Hi everyone,
>> > >
>> > > I'm writing to the mailing lists of every project in which I have write
>> > > permissions: shadow, linux-man, and neomutt. I also CCed maintainers,
>> > > LWN, and my contact in the Linux foundation. In BCC is my contact from
>> > > Google for my sponsorship, which might be of help, and also another
>> > > friend from Google.
>> > >
>> > > Last week someone reported to me a vulnerability in shadow utils. It
>> > > was a real vulnerability, although something relatively unimportant
>> > > (needs physical presence of the attacker, or a way to read memory of a
>> > > setuid-root program --which means they probably already own the
>> > > system--). In fact, we kind of knew its existence already, and I've
>> > > been working on mitigating it, and we've discussed it in the project.
>> > >
>> > > The report seemed legitimate in the begining, although I was suspicious
>> > > that it was only sent to me (I'm involved in the project, and am the
>> > > main contributor by number of commits, but Serge and Iker are the
>> > > maintainers (I maintain the stable branches only), and the guidelines
>> > > say they should have been CCd), but that's something that could happen,
>> > > so I continued discussing the vulnerability with this person. In my
>> > > responses, I added to CC the co-maintainers. When this person replied
>> > > to me, it removed the co-maintainers from CC, which again is suspicious,
>> > > but is something that could happen.
>> > >
>> > > This person tried me to open a couple of PNG files, supposedly showing
>> > > an exploit for the vulnerability. Of course I didn't open any of them.
>> > > I replied asking for a text-based alternative, because it would be
>> > > ironic that talking about vulnerabilities I would have to open
>> > > "unnamed.png" and "unnamed-1.png". The person didn't reply again, which
>> > > to me was the confirmation that it was an attack, and they realized they
>> > > got caught.
>> >
>> > (Had asked this previously privately, but this seems worth discussing
>> > publically) Would be great to analyze the images.
>>
>> Yup; I'm attaching the mail containing the suspicious images to this
>> message. The mail is contained in a compressed tarball signed and
>> armored, to make it more difficult to accidentally open the images
>> (MUAs open them carelessly if they can, in some cases).
>
> Oops, I forgot to actually attach it. Hopefully fixed this time. :)
>
>>
>> I created the tarball with:
>>
>> $ tar czf ~/Downloads/suspicious_mail.tar.gz cur/1743721130.26271_1.devuan,U=7595:2,RS;
>> $ gpg --armor --sign ~/Downloads/suspicious_mail.tar.gz;
>>
>> It can be open this way:
>>
>> alx at devuan:~/Downloads/sus$ ls
>> suspicious_mail.tar.gz.asc
>> alx at devuan:~/Downloads/sus$ gpg --output sus_mail.tar.gz --verify suspicious_mail.tar.gz.asc
>> gpg: Signature made Wed Apr 9 02:06:19 2025 CEST
>> gpg: using RSA key 4BB26DF6EF466E6956003022EB89995CC290C2A9
>> gpg: Good signature from "Alejandro Colomar <alx at alejandro-colomar.es>" [ultimate]
>> gpg: aka "Alejandro Colomar <alx at kernel.org>" [ultimate]
>> gpg: aka "Alejandro Colomar Andres <alx.manpages at gmail.com>" [ultimate]
>> alx at devuan:~/Downloads/sus$ ls
>> sus_mail.tar.gz suspicious_mail.tar.gz.asc
>> alx at devuan:~/Downloads/sus$ gunzip --keep sus_mail.tar.gz
>> alx at devuan:~/Downloads/sus$ ls
>> sus_mail.tar sus_mail.tar.gz suspicious_mail.tar.gz.asc
>> alx at devuan:~/Downloads/sus$ tar tvf sus_mail.tar
>> -rw------- alx/alx 31193 2025-04-04 00:58 cur/1743721130.26271_1.devuan,U=7595:2,RS
>> alx at devuan:~/Downloads/sus$ tar xf sus_mail.tar
>> alx at devuan:~/Downloads/sus$ ls
>> cur sus_mail.tar sus_mail.tar.gz suspicious_mail.tar.gz.asc
>> alx at devuan:~/Downloads/sus$ ls cur/
>> '1743721130.26271_1.devuan,U=7595:2,RS'
>> alx at devuan:~/Downloads/sus$ grep -r From: cur/
>> cur/1743721130.26271_1.devuan,U=7595:2,RS:From: Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>
>>
>>
>> Have a lovely day!
>> Alex
>>
>> > Of course it *is* always possible (unless you've found even more
>> > evidence to the contrary) that the reporter is legit and just...
>> > awkward. Google does come up with a "security researcher" by that
>> > name. So I wouldn't go whole-hog on the witch hunt just yet, but
>> > the whole thing definitely is fishy.
>> >
>> > > I don't know why exactly they targeted me, but I assume it's because of
>> > > my involvement in one of these projects, so maintainers of these
>> > > projects should be especially careful these days, in case they try
>> > > another vector.
>> > >
>> > > As for me, if anyone tries to impersonate me, please make sure it's me.
>> > > I almost always sign my email and *always* sign my git commits with my
>> > > PGP key. If in doubt, please verify it's me. I have never changed my
>> > > PGP master key, and keep it almost always offline, so that should
>> > > ultimately be the way to know it's me. The key was certified by Michael
>> > > Kerrisk, and he knows me physically, in case we ever need to verify (say
>> > > if my master key ever is stolen and I need to revoke it). This attack
>> > > was unsuccessful, but if I'm a target of interest, they might succeed in
>> > > another attack. Don't trust me too much.
>> > >
>> > > As for the attacker, I've reported to Google via
>> > > <https://support.google.com/mail/contact/abuse>, although I'm not sure
>> > > if they'll do much. It would be interesting to learn the IP of the
>> > > owner of the account, and if it used a VPN to connect to gmail, if it
>> > > tried to attack any other people, and any other patterns that might be
>> > > useful to learn who is interested in this attack. Maybe my contact at
>> > > Google can talk to people within Google to investigate this further. Or
>> > > maybe some of you know someone at Google that can help investigate this.
>> > > The attacker is "Mahdi Hamedani Nezhad <hamedaninezhadmahdi at gmail.com>".
>> > > I presume this is a false name, trying to impersonate someone; I assume
>> > > noone would try to attack someone else using their real name. There's a
>> > > real person with that name --or so it seems in LinkedIn--, and is a
>> > > security researcher in Iran.
>> > >
>> > >
>> > > Have a lovely day!
>> > > Alex
>> > >
>> > > --
>> > > <https://www.alejandro-colomar.es/>
>> >
>> >
>>
>> --
>> <https://www.alejandro-colomar.es/>
>
>
>
> --
> <https://www.alejandro-colomar.es/>
More information about the neomutt-devel
mailing list