Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DoS attacks on MIME-capable software via complex MIME emails

From: Bernhard Brehm <bruhns () recurity-labs com>
Date: Mon, 08 Dec 2008 23:56:05 +0100
Valdis.Kletnieks () vt edu said:


You want *real* loads of fun? Go read up on message/partial ;)
  

You're right. The RFCs do read like fun. I did some testing on DoS
attacks with message/partial before I found the other problems. However,
most applications refuse to reassemble messages.
The situation is quite similiar to the reason, why MTAs like sendmail
are no real target for such attacks: No server should try to convert
8bit encoding to 7bit encoding any more. Nobody needs to split a message
into several parts for transfer and expects the mailclient to reassemble
the parts. Not all pieces of MIME-related software really need to
understand these rather obscure content-types.

Another grateful target is multipart/related (rfc2387) in combination
with text/html. Once the problems with nesting and overly large
multiparts are resolved, you will want to look there for more bugs. One
type of attacks to be found there is to cause quadratic or worse memory
consumption at the target (quadratic with respect to the email size)-
quite similiar to Fefe's 42.zip or all these webbrowser DoS things with
recursive iframes.

But, you do not need to look at obscure content-types in order to mount
effective DoS attacks. The two PoC mails nesty and multikill are very
basic and simple and effective. Try them on your mail system! Every
application needs to understand the multipart/mixed content-type, there
is no way of refusing to parse it. Many applications in your system try
to parse MIME: Spamfilters (at least old versions of spam assassin used
to crash), antivirus, webmail servers, mailing list software (at least
old versions of mailman used to crash), email clients, 3-letter-agencies
(who knows?), msn-messenger (really!), mayhaps some IPS.


"Nesty" and "multikill" were already recognized as a potential issue all the
way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
Freed thought that deep nesting was more likely to be an issue:

http://www.imc.org/ietf-calendar/archive1/msg00487.html
  

Thanks! That's quite an early reference and by one of the original
authors of MIME.


Cheers,
Bruhns

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: