Full Disclosure mailing list archives
Re: DoS attacks on MIME-capable software via complex MIME emails
From: Valdis.Kletnieks () vt edu
Date: Mon, 08 Dec 2008 15:38:59 -0500
On Mon, 08 Dec 2008 19:12:26 +0100, Bernhard Brehm said:
I (re)discovered the bug independently in mid 2007. The bug was however known before. There are some advisories like secunia.com/advisories/11360/ (for Eudora, bug still unfixed) by people who discovered the problem before, but did not publicly announce or did not see the scope of it. More recently, there has been a likewise advisory for sendmail, CVE-2006-1173. There have been other advisories for different antivirus solutions. This bug is not 0-day at all, it is really old. If you find older advisories, which cover this bug, or knew it before, mail me so I can update this section.
You want *real* loads of fun? Go read up on message/partial ;) "Nesty" and "multikill" were already recognized as a potential issue all the way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned Freed thought that deep nesting was more likely to be an issue: http://www.imc.org/ietf-calendar/archive1/msg00487.html * To: Mike Weston <mweston@xxxxxxxxxxxx> * Subject: Re: More on merged drafts. * From: Ned Freed <Ned.Freed@xxxxxxxxxxxx> * Date: Fri, 06 Dec 1996 14:01:39 -0800 (PST) * Cc: Alec Dun <AlecDu@xxxxxxxxxxxxxxxxxxxxxx>, fdawson@xxxxxxxxxxxxx, ietf-calendar@xxxxxxx * In-reply-to: "Your message dated Fri, 06 Dec 1996 10:58:29 -0800"<> * References: <> * Sender: owner-ietf-calendar@xxxxxxx
Alec Dun wrote:I believe MIME is the right way to encapsulate objects following reasons: 1. MIME already has a way to represent multiple objects in a message.
My guess would be that if many MIME parsers were presented with a multipart MIME message with thousands of parts (like someone's entire schedule for a few months), they would blow up. This is just orders of magnitude more complex than this mechanism is typically called upon to handle today.
Maybe I'm just overly proud of my own implementation, but I don't think that most implementations will have a problem handling this sort of thing. I routinely receive MIME messages with anywhere from several dozen to several hundred attachments and have no real problem with it. Nesting is very different matter, BTW. I can readily believe that many implementations won't handle MIME structure nesting a thousand levels deep. (I also have experience in this area to back up this assessment.) But the usage being proposed here isn't a deeply nested structure, at least not as far as I can tell.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 08)
- Re: DoS attacks on MIME-capable software via complex MIME emails Valdis . Kletnieks (Dec 08)
- Re: DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Kurt Buff (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Bernhard Brehm (Dec 09)
- Re: DoS attacks on MIME-capable software via complex MIME emails Valdis . Kletnieks (Dec 08)