lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 08 Dec 2008 15:38:59 -0500
From: Valdis.Kletnieks@...edu
To: Bernhard Brehm <bruhns@...urity-labs.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urity-focus.com
Subject: Re: DoS attacks on MIME-capable software via
	complex MIME emails

On Mon, 08 Dec 2008 19:12:26 +0100, Bernhard Brehm said:

> I (re)discovered the bug independently in mid 2007. The bug was however
> known before. There are some advisories like secunia.com/advisories/11360/
> (for Eudora, bug still unfixed) by people who discovered the problem
> before, but did not publicly announce or did not see the scope of it. More
> recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
> There have been other advisories for different antivirus solutions. This
> bug is not 0-day at all, it is really old. If you find older advisories,
> which cover this bug, or knew it before, mail me so I can update this
> section.

You want *real* loads of fun? Go read up on message/partial ;)

"Nesty" and "multikill" were already recognized as a potential issue all the
way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
Freed thought that deep nesting was more likely to be an issue:

http://www.imc.org/ietf-calendar/archive1/msg00487.html


    * To: Mike Weston <mweston@...xxxxxxxxx>
    * Subject: Re: More on merged drafts.
    * From: Ned Freed <Ned.Freed@...xxxxxxxxx>
    * Date: Fri, 06 Dec 1996 14:01:39 -0800 (PST)
    * Cc: Alec Dun <AlecDu@...xxxxxxxxxxxxxxxxxxx>, fdawson@...xxxxxxxxxx, ietf-calendar@...xxxx
    * In-reply-to: "Your message dated Fri, 06 Dec 1996 10:58:29 -0800"<>
    * References: <>
    * Sender: owner-ietf-calendar@...xxxx

> Alec Dun wrote:
> >
> > I believe MIME is the right way to encapsulate objects following
> > reasons:
> >
> > 1.  MIME already has a way to represent multiple objects in a message.

> My guess would be that if many MIME parsers were presented with a
> multipart MIME message with thousands of parts (like someone's entire
> schedule for a few months), they would blow up.  This is just orders of
> magnitude more complex than this mechanism is typically called upon to
> handle today.

Maybe I'm just overly proud of my own implementation, but I don't think that
most implementations will have a problem handling this sort of thing. I
routinely receive MIME messages with anywhere from several dozen to several
hundred attachments and have no real problem with it.

Nesting is very different matter, BTW. I can readily believe that many
implementations won't handle MIME structure nesting a thousand levels deep. (I
also have experience in this area to back up this assessment.) But the usage
being proposed here isn't a deeply nested structure, at least not as far as I
can tell.



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ