Full Disclosure mailing list archives
Re: DoS attacks on MIME-capable software via complex MIME emails
From: Bernhard Brehm <bruhns () recurity-labs com>
Date: Mon, 08 Dec 2008 23:56:05 +0100
Valdis.Kletnieks () vt edu said:
You want *real* loads of fun? Go read up on message/partial ;)
You're right. The RFCs do read like fun. I did some testing on DoS attacks with message/partial before I found the other problems. However, most applications refuse to reassemble messages. The situation is quite similiar to the reason, why MTAs like sendmail are no real target for such attacks: No server should try to convert 8bit encoding to 7bit encoding any more. Nobody needs to split a message into several parts for transfer and expects the mailclient to reassemble the parts. Not all pieces of MIME-related software really need to understand these rather obscure content-types. Another grateful target is multipart/related (rfc2387) in combination with text/html. Once the problems with nesting and overly large multiparts are resolved, you will want to look there for more bugs. One type of attacks to be found there is to cause quadratic or worse memory consumption at the target (quadratic with respect to the email size)- quite similiar to Fefe's 42.zip or all these webbrowser DoS things with recursive iframes. But, you do not need to look at obscure content-types in order to mount effective DoS attacks. The two PoC mails nesty and multikill are very basic and simple and effective. Try them on your mail system! Every application needs to understand the multipart/mixed content-type, there is no way of refusing to parse it. Many applications in your system try to parse MIME: Spamfilters (at least old versions of spam assassin used to crash), antivirus, webmail servers, mailing list software (at least old versions of mailman used to crash), email clients, 3-letter-agencies (who knows?), msn-messenger (really!), mayhaps some IPS.
"Nesty" and "multikill" were already recognized as a potential issue all the way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned Freed thought that deep nesting was more likely to be an issue: http://www.imc.org/ietf-calendar/archive1/msg00487.html
Thanks! That's quite an early reference and by one of the original authors of MIME. Cheers, Bruhns _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 08)
- Re: DoS attacks on MIME-capable software via complex MIME emails Valdis . Kletnieks (Dec 08)
- Re: DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Kurt Buff (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Valdis . Kletnieks (Dec 08)