lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 08 Dec 2008 23:56:05 +0100
From: Bernhard Brehm <bruhns@...urity-labs.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS attacks on MIME-capable software via
 complex MIME emails

Valdis.Kletnieks@...edu said:
>
> You want *real* loads of fun? Go read up on message/partial ;)
>   
You're right. The RFCs do read like fun. I did some testing on DoS
attacks with message/partial before I found the other problems. However,
most applications refuse to reassemble messages.
The situation is quite similiar to the reason, why MTAs like sendmail
are no real target for such attacks: No server should try to convert
8bit encoding to 7bit encoding any more. Nobody needs to split a message
into several parts for transfer and expects the mailclient to reassemble
the parts. Not all pieces of MIME-related software really need to
understand these rather obscure content-types.

Another grateful target is multipart/related (rfc2387) in combination
with text/html. Once the problems with nesting and overly large
multiparts are resolved, you will want to look there for more bugs. One
type of attacks to be found there is to cause quadratic or worse memory
consumption at the target (quadratic with respect to the email size)-
quite similiar to Fefe's 42.zip or all these webbrowser DoS things with
recursive iframes.

But, you do not need to look at obscure content-types in order to mount
effective DoS attacks. The two PoC mails nesty and multikill are very
basic and simple and effective. Try them on your mail system! Every
application needs to understand the multipart/mixed content-type, there
is no way of refusing to parse it. Many applications in your system try
to parse MIME: Spamfilters (at least old versions of spam assassin used
to crash), antivirus, webmail servers, mailing list software (at least
old versions of mailman used to crash), email clients, 3-letter-agencies
(who knows?), msn-messenger (really!), mayhaps some IPS.

> "Nesty" and "multikill" were already recognized as a potential issue all the
> way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
> Freed thought that deep nesting was more likely to be an issue:
>
> http://www.imc.org/ietf-calendar/archive1/msg00487.html
>   
Thanks! That's quite an early reference and by one of the original
authors of MIME.


Cheers,
Bruhns

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ