Next Page >>
Multipurpose Internet Mail Extensions
== DoS attacks on MIME-capable software via complex MIME emails ==
== Preface ==
On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
problem with MIME software. Due to popular demand, I decided to publish a
short writeup of the talk.
== What is MIME? ==
MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
Also, same vulnerabilities were reported and fixed in Sendmail
(CVE-2006-1173).
--Tuesday, December 9, 2008, 1:52:17 AM, you wrote to bugtraq@securityfocus.com:
brlc> == DoS attacks on MIME-capable software via complex MIME emails ==
brlc> == Preface ==
brlc> On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
brlc> problem with MIME software. Due to popular demand, I decided to publish a
brlc> short writeup of the talk.
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
This vulnerability is documented in CVE-2004-2486
leavingcisco.com and Cisco Bug ID CSCsh79629.
SIP-Only Related Vulnerabilities
* SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a buffer overflow vulnerability in
the handling of Multipurpose Internet Mail Extensions (MIME)
encoded data. By sending a specially crafted SIP message to a
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
In the following section, proof of concept code is provided to
demonstrate the problem using the local storage used by Internet
Explorer to store the user's browsing history to deliver HTML with
$test_form = true;
$test_size = true;
// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---
// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' ));
March 19, 2009: Tony replied stating the preference for PGP communication.
:Further communication:
March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.
March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.
March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.
The Proof of Concepts below exploit the aforementioned issue by taking
advantage of other features of Internet Explorer. Keep in mind that:
* Besides the common web content types (such as plain http, image, audio
and video) the browser is also able to render other standardized content
types, among them, MIME HTML or mhtml. And, overriding the way IE
chooses to render a file (described in [3]) presents a way to enforce
the rendering type as MIME HTML by using the protocol handler for mhtml
in the following manner:
mhtml:[PATH_TO_RESOURCE]
Feb 26, 2008
I. BACKGROUND
Mozilla Thunderbird is an open source electronic mail client and news
reader. Multipurpose Internet Message Extensions (MIME) is a standard
that defines how non-text attachments and other data are handled in
electronic mail. The external-body MIME type is used for retrieving a
resource that is referenced in the message, such as an attachment. For
more information, see the vendor's website at the following URL.
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they don’t support
this functionality (perhaps for security reasons). So, using such extensions
mentioned above can be used as a workaround for script execution in Opera
Although these specific vulnerabilities exist on a third–party component
the problem is compound by the way Lotus Notes displays information about
attachments, making it easier to elicit unsuspecting assistance from the
users to exploit them. Lotus Notes displays the file type and
corresponding icon based on the attached file’s extension rather than the
MIME Content-Type header in the email whereas the view functionality is
handled by the Verity KeyView component which processes the attachment
based on the file contents. Exploitation of these vulnerabilities
requires end-user interaction but the discrepancy described above could
allow an attacker to send a malicious Lotus 1-2-3 file as an attachment
with a seemingly innocuous extension (for example, .JPG or .GIF) that
#2008-012 Horde, Popoon frameworks common input sanitization errors (XSS)
Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails. The second
vulnerability has a wider impact.
Horde relies on code similar to Popoon's externalinput.php to filter out
potential XSS attacks on user-supplied input. This filter, and the original,
fail to fully sanitize user data. In particular, this filter fails to
the following problems:
CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.
Asterisk Project Security Advisory - AST-2007-021
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Crash from invalid/corrupted MIME bodies when |
| | using voicemail with IMAP storage |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Crash |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);
//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size) {
@unlink($tmpfilename);
resubmit the issues to KDE and contacted oCERT asking for assistance in
disclosure coordination.
Ark input sanitization errors:
The KDE archiving tool, Ark, performs insufficient validation which leads
to specially crafted archive files, using unknown MIME types, to be
rendered using a KHTML instance, this can trigger uncontrolled
XMLHTTPRequests to remote sites.
IO Slaves input sanitization errors:
KDE protocol handlers perform insufficient input validation, an attacker
It's known that in some circostances (for example when the PHP handler
is configured using AddType/Action/AddHandler globally, eg. not inside
an Apache's Files/FilesMatch directive) blacklisting is not enough as
files in the form of "filename.php.foo" will be mapped back to PHP
anyway (since foo is not explicitly defined in the MIME map and Apache
will try to guess the filetype by its own).
Beside this known issue we want to point out a less known exploitation
methodology that works on Windows hosts.
------------------------------------------------------------------------
Evolution TNEF Attachment decoder plugin
------------------------------------------------------------------------
The plugin is started on e-mail attachments that have a MIME type of
either application/vnd.ms-tnef or application/ms-tnef. It creates a
temporary directory under ~/.evolution/cache/tmp using the format
tnef-attachment-XXXXXX. The TNEF attachment is saved as
.evo-attachment.tnef.
help:// URLs. This issue only affected Ubuntu 8.10.
Original advisory details:
It was discovered that the KDE libraries could use KHTML to process an
unknown MIME type. If a user or application linked against kdelibs were
tricked into opening a crafted file, an attacker could potentially trigger
XMLHTTPRequests to remote sites.
Updated packages for Ubuntu 8.10:
Secunia Research has discovered a vulnerability in the IMail Client,
which potentially can be exploited by malicious people to compromise a
user's system.
The vulnerability is caused due to a boundary error within the IMail
Client when processing emails containing multipart MIME data. This can
be exploited to cause a data segment-based buffer overflow via an
overly long "boundary" parameter (more than 212 bytes).
======================================================================
5) Solution
Vulnerability information
The appliance is administered by use of a web browser HTML based front
end. The .htaccess file prohibits unauthenticated access to known
HTML management
pages, however other binaries, such as mimencode, are exposed.
By sending a HTTP POST request, it is possible to write arbitrary data
to a default file which has world read-write-execute permissions.
It is then possible to send a HTTP GET request to the written file, to execute
upload permissions, such as granted to the 'advertiser' and
'administrator' roles.
This vulnerability is caused by the (insecure) file upload mechanism of
affected OpenX versions. These would check magic bytes of an uploaded
file to determine its MIME type, and erroneously assume this
information to be reliable. Additionally, while the file name of
uploaded files is changed, the file extension is not.
As such, it is possible to upload image files with embedded PHP code and
.php file extension. Unless PHP script execution is explicitly prevented
Description
===========
Jesse Ruderman and Petko D. Petkov reported that the jar protocol
handler in Mozilla Firefox and Seamonkey does not properly check MIME
types (CVE-2007-5947). Gregory Fleischer reported that the
window.location property can be used to generate a fake HTTP Referer
(CVE-2007-5960). Multiple memory errors have also been reported
(CVE-2007-5959).
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>
<xml>
irrelevant
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealfilebug.xsl"?>
<xml>
irrelevant
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3823
Will Drewry discovered that the Horde, allows remote attackers to send
an email with a crafted MIME attachment filename attribute to perform
cross site scripting.
For the stable distribution (etch), this problem has been fixed in
version 3.1.3-4etch4.
Debian bug : #547318
CVE ID : CVE-2009-3236
Stefan Esser discovered that Horde, a web application framework providing
classes for dealing with preferences, compression, browser detection,
connection tracking, MIME, and more, is insufficiently validating and
escaping user provided input. The Horde_Form_Type_image form element
allows to reuse a temporary filename on reuploads which are stored in a
hidden HTML field and then trusted without prior validation. An attacker
can use this to overwrite arbitrary files on the system or to upload PHP
code and thus execute arbitrary code with the rights of the webserver.
[ Analysis ]
I. Cross Site Scripting
Let's suppose mod_negotiation is enabled and an attacker could upload
a file with arbitrary name and whatever mime extension.
For example a legit jpeg file named:
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg
Then by requesting it without extension with Accept header set to
Overview:
Quote from http://www.horde.org
"The Horde Application Framework is a general-purpose web application
framework in PHP, providing classes for dealing with preferences,
compression, browser detection, connection tracking, MIME handling,
and more."
During an audit of a PHP web application which is based on the Horde
Application Framework it was discovered that form elements of the type
Horde_Form_Type_image trust a user supplied temporary filename which
Background
==========
The Horde Application Framework is a general-purpose web application
framework written in PHP, providing classes for handling preferences,
compression, browser detection, connection tracking, MIME and more.
Affected packages
=================
-------------------------------------------------------------------
Next Page>>
|
