oss-sec mailing list archives
Re: SaltStack 2014.1.10 released
From: Phil Pennock <oss-security-phil () spodhuis org>
Date: Fri, 22 Aug 2014 01:26:48 -0400
On 2014-08-21 at 19:02 +0200, Kristian Fiskerstrand wrote:
On 08/21/2014 07:00 PM, Kurt Seifried wrote:Ok several people replied privately now, Thunderbird definitely has issues with this, and one person reports apple mail can't see it either. Perhaps we found a new way to send stealthy emails? ;)Not sure if it is new - from a quick glance it looks like the email in question is missing a MIME boundary before the body.
Kristian is right; slightly disappointing that it took so many mails for someone to just look at the structure and report on the root cause, instead of just trying to see how various different clients handle a "dodgy" message. Memo to self: I know how to spread malware amongst the security community, now. Per specification for multipart/* types, if there is content before the first MIME boundary then it is deliberately not displayed by MIME-capable email clients; this is usually used by user-agents to insert a "this message is MIME, upgrade your ancient client" type of message, but even that is rare today. Given a boundary defined as "foo" then the message is divided up into sections ("body parts") by lines "\r\n--foo\r\n" and ending with a final line "\r\n--foo--\r\n". When the first boundary line got dropped, the content of the message became preamble. The definition is in RFC2046. The definition for OpenPGP in MIME is in RFC3156, which states: ----------------------------8< cut here >8------------------------------ The multipart/signed body MUST consist of exactly two parts. The first part contains the signed data in MIME canonical format, including a set of appropriate content headers describing the data. The second body MUST contain the OpenPGP digital signature. It MUST be labeled with a content type of "application/pgp-signature". ----------------------------8< cut here >8------------------------------ So: message as posted to list was malformed, something dropped a significant line; every MIME compliant mail-client, by deliberate design, dropped everything before the first boundary line, so yes this is a way to sneak through messages. The only MIME part left was a signature, which is a protocol violation, and so the behaviours observed are just "how do mail-clients report malformed signed messages". -Phil
Attachment:
_bin
Description:
Current thread:
- SaltStack 2014.1.10 released C. R. Oldham (Aug 21)
- Re: SaltStack 2014.1.10 released Kurt Seifried (Aug 21)
- Re: SaltStack 2014.1.10 released gremlin (Aug 21)
- Re: SaltStack 2014.1.10 released Aaron Toponce (Aug 21)
- Re: SaltStack 2014.1.10 released gremlin (Aug 21)
- Re: SaltStack 2014.1.10 released Kurt Seifried (Aug 21)
- Re: SaltStack 2014.1.10 released Kristian Fiskerstrand (Aug 21)
- Re: SaltStack 2014.1.10 released Phil Pennock (Aug 21)
- Re: SaltStack 2014.1.10 released gremlin (Aug 21)
- Re: SaltStack 2014.1.10 released Nick Boyce (Aug 21)
- Re: SaltStack 2014.1.10 released Rylee Fowler (Aug 21)
- Re: SaltStack 2014.1.10 released Kurt Seifried (Aug 21)