Big MIME line detector

[dmumford () NFR NET (M. Dodge Mumford)]

I am sending this to bugtraq because I think it meets the criteria for
postings, specifically, for recognizing the use of security holes. The NFR
package is available from http://www.nfr.net, please read the license
carefully before installing. I am very much affiliated with NFR, but this
is not intended as a commercial posting.

It was recently announced that MS IE, MS Outlook, and Netscape
Communicator for Windows are vulnerable to buffer overflows that involve
MIME headings; perhaps filenames. The only example I have seen was
from Ryan Veety (root () RYANSPC COM) from the bugtraq mailing list which
stated that "Content-Disposition: attachment; filename=AAAAA...AAAAAAA"
would bust a reader.

I started to work on N-Code that would only detect long filenames. Then it
occurred to me, "Why only filenames--Who's to say that next week the
Content-Type will be vulnerable, too?" So this counts the number of
characters in every TCP stream from "Content-" to the next "\n". If it
exceeds the threshold, it records what it's got and the rest of the TCP
session to a recorder, and sends an alert.

This is not fancy. Nor is it guaranteed to work. I promise there are ways
to circumvent this. This comes with no warranty whatsoever. Use at your
own risk.

Please read the comments in the .nfr file about installing properly once
you have the NFR distribution.



---------------------
bigmime.nfr

#
#        Copyright(C) 1998 Network Flight Recorder, Inc.
#        All rights reserved.
#
#        Use and distribution of this software and its source code
#        are governed by the terms and conditions of the
#        Network Flight Recorder Software License ("LICENSE.TXT" in
#        the NFR distribution.)
#
#       This filter is experimental and comes with absolutely, positively,
#       unconditionally, no warranty or support whatsoever. It is being
#       distributed to help administrators know whether this particular
#       attack is being attempted on their networks.
#
#       Abstract: Detect big MIME controls within TCP sessions
#
#       Notes:
#               This backend expects to be put in a package called "id".
#               Change the "bigmime_recorder" declaration if that's not
#               the case.
#
#               Be sure to add an entry in etc/spaceman.cf so that if this
#               starts recording gobs of data, your hard drive doesn't fill
#               up.
#
#               For alerts to work, you must create a user source of
#               BIG_MIME and a user message of SUSPICIOUS_ACITIVITY.
#
#       Author: M. Dodge Mumford, NFR
#
#       Date:   31 July 1998


SEARCHSTRING = "Content-" ;
MAXLINELEN = 100 ;
BUFFLEN = 2048 ;

bigmime_schema = library_schema:new ( 1, [ "time", "int", "ip", "int", "ip",
        "int", "blob" ], scope()) ;

bigmime_recorder = recorder ( "bin/list packages/id/bigmime.cfg",
        "bigmime_schema" ) ;

filter bigmime tcp ( ) {
        declare $seen inside tcp.connSym ;
        declare $session inside tcp.connSym ;
        declare $curious inside tcp.connSym ;
        declare $violation inside tcp.connSym ;
        if ( ! $seen ) {
                $seen = 1 ;
                $session = tcp.blob ;
        } else {
                $session = cat ( $session, tcp.blob ) ;
        }
        $position = index ($session, SEARCHSTRING ) ;
        if ( $position > -1 ) {
                # Hmm
                $tempstring = substr ( $session, $position) ;
                $endofline = index ( $tempstring, "\n" ) ;
                if ( $endofline > MAXLINELEN ) {
                        $violation = 1 ;
                }
        }
        if ( $violation != 1 ) {
                if ( strlen ( $session ) > BUFFLEN ) {
                        $session = substr ( $session, BUFFLEN ) ;
                }
        }
}


filter donemime tcp ( discardsession ) {
        declare $seen inside tcp.connSym ;
        declare $session inside tcp.connSym ;
        declare $curious inside tcp.connSym ;
        declare $violation inside tcp.connSym ;
        if ( $violation == 1 ) {
                echo ( tcp.connSrc, ":", tcp.connSport, " -> ", tcp.connDst,
                        ":", tcp.connDport, " violated the rule.\n" ) ;
                echo ( $session, "\n" ) ;
                $message = cat ( tcp.connSrc, ":", tcp.connSport, " -> ",
                        tcp.connDst, ":", tcp.connDport,
                        " -- saw a large MIME entry: ", $message, "\n" ) ;
                alert ( alert:BIG_MIME, alert:SUSPICIOUS_ACTIVITY, $message ) ;
                record system.time, tcp.connHash, tcp.connDst, tcp.connDport,
                        tcp.connSrc, tcp.connSport, $session to
                        bigmime_recorder ;
        }
}





-----------------------

bigmime.cfg

#
#        Copyright(C) 1998 Network Flight Recorder, Inc.
#        All rights reserved.
#
#        Use and distribution of this software and its source code
#        are governed by the terms and conditions of the
#        Network Flight Recorder Software License ("LICENSE.TXT")
#
#       Abstract: badtsring configuration file.
#       Notes:  See bigmime.nfr for details
#       Author: M. Dodge Mumford, NFR
#       Date:   31 July 1998
#


enabled=true
title=Big MIMEs
gui=list

num_columns_6
num_columns=6
column_1_type=p_int
column_2_type=p_src_ip
column_3_type=p_src_port
column_4_type=p_dst_ip
column_5_type=p_dst_port
column_6_type=p_string

column_1_label=TCP Hash
column_2_label=Source IP
column_3_label=Source Port
column_4_label=Dest IP
column_5_label=Dest Port
column_6_label=Blob

cfversion=1
rollover_size=yes
rollover_size_val=1024000
rollover_time=YES
rollover_time_val=300000

archive_path=data/%p/%b/%y/%m%d/

modified=false
origin=M. Dodge Mumford, NFR







-----
Dodge   dodge () nfr net   PGP key available upon request