Re: DoS attacks on MIME-capable software via complex MIME emails

[Valdis.Kletnieks () vt edu]

On Mon, 08 Dec 2008 19:12:26 +0100, Bernhard Brehm said:

> I (re)discovered the bug independently in mid 2007. The bug was however
> known before. There are some advisories like secunia.com/advisories/11360/
> (for Eudora, bug still unfixed) by people who discovered the problem
> before, but did not publicly announce or did not see the scope of it. More
> recently, there has been a likewise advisory for sendmail, CVE-2006-1173.
> There have been other advisories for different antivirus solutions. This
> bug is not 0-day at all, it is really old. If you find older advisories,
> which cover this bug, or knew it before, mail me so I can update this
> section.

You want *real* loads of fun? Go read up on message/partial ;)

"Nesty" and "multikill" were already recognized as a potential issue all the
way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
Freed thought that deep nesting was more likely to be an issue:

http://www.imc.org/ietf-calendar/archive1/msg00487.html


    * To: Mike Weston <mweston@xxxxxxxxxxxx>
    * Subject: Re: More on merged drafts.
    * From: Ned Freed <Ned.Freed@xxxxxxxxxxxx>
    * Date: Fri, 06 Dec 1996 14:01:39 -0800 (PST)
    * Cc: Alec Dun <AlecDu@xxxxxxxxxxxxxxxxxxxxxx>, fdawson@xxxxxxxxxxxxx, ietf-calendar@xxxxxxx
    * In-reply-to: "Your message dated Fri, 06 Dec 1996 10:58:29 -0800"<>
    * References: <>
    * Sender: owner-ietf-calendar@xxxxxxx

> Alec Dun wrote:
> > I believe MIME is the right way to encapsulate objects following
> > reasons:
> >
> > 1.  MIME already has a way to represent multiple objects in a message.

> My guess would be that if many MIME parsers were presented with a
> multipart MIME message with thousands of parts (like someone's entire
> schedule for a few months), they would blow up.  This is just orders of
> magnitude more complex than this mechanism is typically called upon to
> handle today.

Maybe I'm just overly proud of my own implementation, but I don't think that
most implementations will have a problem handling this sort of thing. I
routinely receive MIME messages with anywhere from several dozen to several
hundred attachments and have no real problem with it.

Nesting is very different matter, BTW. I can readily believe that many
implementations won't handle MIME structure nesting a thousand levels deep. (I
also have experience in this area to back up this assessment.) But the usage
being proposed here isn't a deeply nested structure, at least not as far as I
can tell.

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/