Re: [Evolution] [Fwd: Another possible RFC 2046 vulnerability.]

Speaking strictly client-side, what difference would this make over
someone sending you malicious.code in the actual body of the message?

As far as I can tell, there's no difference.

That said, I can't tell you if we will or will not implement this
feature. Personally I'd like to do it eventually because I think it's
kinda cool.

Just because virus scanning software on the server is stupid doesn't
mean you should limit functionality in the client, it just means you
have to make server software less stupid. Either that or educate users.

Besides, Evolution is a Unix client - I don't know of any virus that
Evolution will auto-execute and will allow to root your system and do
all sorts of nasty stuff.

Evolution will never run a script or binary attachment. Ever. And afaik,
we don't plan on making it so that messages can contain embedded scripts
that Evolution will auto-magically run like Outlook does, so that's not
an issue either. (We do plan to add scripting support to Evolution at
some point, but we do not plan to make it so that messages can invoke


On Fri, 2002-09-27 at 11:48, Richard Bellavance wrote:
I hope support for this aberration will not be integrated into

At least, 1.0.8 does not seem to support it.

Richard Bellavance                   COGNICASE inc.
Analyste-programmeur principal       Hébergement, sécurité et réseaux
T.: 514-732-8000 #4153               20, Place du Commerce
F.: 514-732-8021                     Verdun, Qc, H3E 1Z6, CANADA


From: Jose Marcio Martins da Cruz <Jose-Marcio Martins ensmp fr>
To: bugtraq <bugtraq securityfocus com>
Subject: Another possible RFC 2046 vulnerability.
Date: 27 Sep 2002 13:01:46 +0200


Some days ago, we're talking about RFC 2046 message fragmentation

There is another related RFC 2046 vulnerability : message/external-body
message type.

RFC 2046 message/external-body MIME type allows to send messages not by
it's content, but by reference.

In this case, you can send a message with the following MIME tag :

   Content-Type: message/external-body; name="malicious.code";
                 site=""; mode="image";
                 access-type=ANON-FTP; directory="pub"

Client MUA, receives this and will get "malicious.code" file by
anonymous ftp from ftp server.

RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP",

There are some other optional parameters to this feature.  For example,
if the message includes parameter permission="write", existing file will
be overwriten.

RFC 2046 says something about security in paragraph :

   (1)   Accessing data via a "message/external-body" reference
         effectively results in the message recipient performing
         an operation that was specified by the message
         originator.  It is therefore possible for the message
         originator to trick a recipient into doing something
         they would not have done otherwise.  ...

Combining different access-types (mainly anon-ftp, mail-server and
local-file) can create; IMHO, more complex attacks.

What's interesting is that in this case the message and the malicious
code passes through two different network paths : messages is sent by
mail and the malicious code will be get by receiver by anonymous ftp.

In the case of previous vulnerability (fragmented message), message and
malicious code uses the same network path.

Classical mail server virus scanners will never see the malicious code
pass through it, as they will never have available entire malicious

The only way to detect it, IMHO, at mail server, is by lexical analysis
of MIME tags.

Netscape Communicator 4.79 is compatible with this RFC 2046 feature.

I can't say anything about others mail clients, as I'm sick at home and
I have no access to other MUAs. 

Attached to this message you'll find a message sent using this feature
and allowing you to get  RFC 2046 by anonymous ftp. Maybe someone can
check it out with Outlook and other popular MUAs. It's in the /var/mail
format : you can append it to your mailbox and try it... 8-)

References : RFC 2046 - MIME - Media Types

Jose Marcio

 Jose Marcio MARTINS DA CRUZ     
 Ecole Nationale Superieure des Mines de Paris    
 Centre de Calcul                             Tel . :
 60, bd Saint Michel          
 75272 - PARIS CEDEX 06                   mailto:martins cc ensmp fr


From martins didi ensmp fr  Wed Sep 18 10:40:02 2002
Return-Path: <martins ensmp fr>
Received: from (didi [])
      by (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339
      for <tijojo adrian ensmp fr>; Wed, 18 Sep 2002 10:40:02 +0200
Sender: martins paris ensmp fr
Message-ID: <3D88395A AE13841F didi ensmp fr>
Date: Wed, 18 Sep 2002 10:29:14 +0200
From: Jose Martins <martins didi ensmp fr>
Reply-To: tijojo paris ensmp fr
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: tijojo adrian ensmp fr
Subject: tst attachment
Content-Type: multipart/mixed;
X-Miltered: at ticrobe by Joe's j-chkmail ("";)!
Status: RO

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

RFC 2046 message/external-body compatibility test

Content-Type: message/external-body; name="rfc2046.Z";
        site=""; mode="image";
        access-type=ANON-FTP; directory="rfc/rfc20xx"

Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj ximian com  -

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]