Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP)

From: cdp () PEAKPEAK COM (Chuck Phillips)
Date: Sat, 11 Mar 2000 08:28:58 -0700


Mikael Olsson wrote:

Why is my nutscrape parsing the vcard contents as HTML? Is this
intended behaviour?


Yes.  It would be interesting to know for different mail browsers if the
vcard --> HTML translation actually could be exploited, e.g., by inserting
<script> tags in the vcard information, even if Java/Javascript is disabled.

Nicolas Justin writes:

Add this lines to your procmailrc
  :0
  * ^Content-Type.*text/html*
  | (formail -r ; echo "You have sent a mail in HTML format, please
resend it in plain text format") | /usr/sbin/sendmail -oi -t


Great!  Now we can use Nicolas' email address (and the address of everyone
who takes his advice) as a remailer (possibly then fed to a recipient
amplifier as explained below) -- without waiting for him to go on vacation.

I won't bother posting an exploit script.  :-)

For all you 31337 haxors: I expect this particular address will be
protected by the time this message passes through the moderator.  :-)


  :0
  * ^Content-Type.*multipart/alternative*
  | (formail -r ; echo "You have sent a mail in HTML format, please
resend it in plain text format") | /usr/sbin/sendmail -oi -t


There are non-HTML reasons for multipart/alternative.  E.g., PNG vs. JPEG,
different languages and charsets, etc.  Admittedly, text vs. HTML is by far
the most common.


So, if you receive a mail in HTML format, it will be trashed and a mail
will be sent to the sender.


...and that can be a problem.  IMHO, Mikael Olsson had a better idea: Use a
filter.  It might not be trivial, but there are MIME-parsing packages for
Perl, and I suspect, other languages.

IMHO, auto-reply (if not human-monitored and/or seriously filtered) is an
exploit waiting to happen.  It may work a lot more slowly, but several of
the classic */IP-based attacks translate pretty well.

If the original message is included in its entirety by an auto-responder,
it also becomes fertile ground for volume-amplification -- as opposed
recipient-amplification via mailing lists.  (It looks like Nicolas'
suggestion does *not* do this, but I haven't checked.)

Given the subject of this list (VULN-DEV), I nominate Nicolas for an
honorary tee shirt.  ;^)

        Chuck
Previous By Date Next
Previous By Thread Next

Current thread: