Next Page >>
mimes
== DoS attacks on MIME-capable software via complex MIME emails ==
== Preface ==
On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
problem with MIME software. Due to popular demand, I decided to publish a
short writeup of the talk.
== What is MIME? ==
MIME is the standard format for email-messages. One could say, MIME is for
email, what html is for the web. The first RFC for MIME was published in
Also, same vulnerabilities were reported and fixed in Sendmail
(CVE-2006-1173).
--Tuesday, December 9, 2008, 1:52:17 AM, you wrote to bugtraq@securityfocus.com:
brlc> == DoS attacks on MIME-capable software via complex MIME emails ==
brlc> == Preface ==
brlc> On the phneutral 0x7d8 and RSS 08, I gave short talks on a widely unregarded
brlc> problem with MIME software. Due to popular demand, I decided to publish a
brlc> short writeup of the talk.
Survey: "MIME/Content-Type-Sniffing" Issues in Image Uploads in Forum Scripts
Author: Jacques Copeau
Abstract
====================================================
Internet Explorer, especially versions 7 and 6, can be tricked to treat images
as html, opening XSS vulnerabilities in software that allows uploads.
IN a survey, we found myBB, fluxBB, phorum, SMF and WBB to be vulnerable to
such attacks.
$test_form = true;
$test_size = true;
// If you override this, you must provide $ext and $type!!!!
$test_type = true;
$mimes = false;
---[cut]---
// A properly uploaded file will pass this test. There should be no reason to override this one.
if (! @ is_uploaded_file( $file['tmp_name'] ) )
return $upload_error_handler( $file, __( 'Specified file failed upload test.' ));
The problem is derived from the sequence of actions performed by
Internet Explorer to determine the content-type of the content to be
loaded and the appropriate way to render it. The algorithm followed for
this purpose is described in Microsoft's Knowledgebase article titled
MIME Type Detection in Internet Explorer [4] and implemented in the
function 'FindMimeFromData' in 'URLMON.DLL'[5].
In the following section, proof of concept code is provided to
demonstrate the problem using the local storage used by Internet
Explorer to store the user's browsing history to deliver HTML with
The Proof of Concepts below exploit the aforementioned issue by taking
advantage of other features of Internet Explorer. Keep in mind that:
* Besides the common web content types (such as plain http, image, audio
and video) the browser is also able to render other standardized content
types, among them, MIME HTML or mhtml. And, overriding the way IE
chooses to render a file (described in [3]) presents a way to enforce
the rendering type as MIME HTML by using the protocol handler for mhtml
in the following manner:
mhtml:[PATH_TO_RESOURCE]
This vulnerability is documented in CVE-2004-2486
leavingcisco.com and Cisco Bug ID CSCsh79629.
SIP-Only Related Vulnerabilities
* SIP MIME Boundary Overflow
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a buffer overflow vulnerability in
the handling of Multipurpose Internet Mail Extensions (MIME)
encoded data. By sending a specially crafted SIP message to a
March 19, 2009: Tony replied stating the preference for PGP communication.
:Further communication:
March 20, 2009: Technical details and PoC code were sent to Tony, in PGP MIME format.
March 20, 2009: Tony replied with a new case identifier MSRC 9011jr and informed us of a new case manager, Jack.
March 21, 2009: We further reported that IE 8 was affected by the same bug, in PGP MIME format.
Feb 26, 2008
I. BACKGROUND
Mozilla Thunderbird is an open source electronic mail client and news
reader. Multipurpose Internet Message Extensions (MIME) is a standard
that defines how non-text attachments and other data are handled in
electronic mail. The external-body MIME type is used for retrieving a
resource that is referenced in the message, such as an attachment. For
more information, see the vendor's website at the following URL.
3. Attacker convinces victim to visit the direct link to
uploaded file.
4. Victim’s cookies and other sensitive data gets sent to
attacker’s site.
5. Note: For Internet Explorer (v7,8), the task is easier
because it does automatic mime type detection. So, you can execute
javascript content in any file extension. E.g. click
http://securethoughts.com/security/rssatomxss/anyfile.tx. However, for other
browsers, Firefox 3.5, Safari 4, Opera 10 and Chrome 3, they don’t support
this functionality (perhaps for security reasons). So, using such extensions
mentioned above can be used as a workaround for script execution in Opera
Asterisk Project Security Advisory - AST-2007-021
+------------------------------------------------------------------------+
| Product | Asterisk |
|--------------------+---------------------------------------------------|
| Summary | Crash from invalid/corrupted MIME bodies when |
| | using voicemail with IMAP storage |
|--------------------+---------------------------------------------------|
| Nature of Advisory | Crash |
|--------------------+---------------------------------------------------|
| Susceptibility | Remote Unauthenticated Sessions |
$mklib->error_page($message);
exit;
}
@chmod("mkportal/blog/images/tmp/$file_name", 0644);
//Validate by mime type
$tmpfilename = "mkportal/blog/images/tmp/$file_name";
$size = @getimagesize($tmpfilename);
//If getimagesize does not recognize file as an image delete file
if (!$size) {
@unlink($tmpfilename);
Although these specific vulnerabilities exist on a third–party component
the problem is compound by the way Lotus Notes displays information about
attachments, making it easier to elicit unsuspecting assistance from the
users to exploit them. Lotus Notes displays the file type and
corresponding icon based on the attached file’s extension rather than the
MIME Content-Type header in the email whereas the view functionality is
handled by the Verity KeyView component which processes the attachment
based on the file contents. Exploitation of these vulnerabilities
requires end-user interaction but the discrepancy described above could
allow an attacker to send a malicious Lotus 1-2-3 file as an attachment
with a seemingly innocuous extension (for example, .JPG or .GIF) that
the following problems:
CVE-2009-3237
It has been discovered that horde3 is prone to cross-site scripting
attacks via crafted number preferences or inline MIME text parts when
using text/plain as MIME type.
For lenny this issue was already fixed, but as an additional security
precaution, the display of inline text was disabled in the configuration
file.
resubmit the issues to KDE and contacted oCERT asking for assistance in
disclosure coordination.
Ark input sanitization errors:
The KDE archiving tool, Ark, performs insufficient validation which leads
to specially crafted archive files, using unknown MIME types, to be
rendered using a KHTML instance, this can trigger uncontrolled
XMLHTTPRequests to remote sites.
IO Slaves input sanitization errors:
KDE protocol handlers perform insufficient input validation, an attacker
#2008-012 Horde, Popoon frameworks common input sanitization errors (XSS)
Two cross-site scripting (XSS) vulnerabilities were reported in Horde
Framework. The first of which is that the Horde framework fails to properly
sanitize the filename of MIME attachments on received emails. The second
vulnerability has a wider impact.
Horde relies on code similar to Popoon's externalinput.php to filter out
potential XSS attacks on user-supplied input. This filter, and the original,
fail to fully sanitize user data. In particular, this filter fails to
It's known that in some circostances (for example when the PHP handler
is configured using AddType/Action/AddHandler globally, eg. not inside
an Apache's Files/FilesMatch directive) blacklisting is not enough as
files in the form of "filename.php.foo" will be mapped back to PHP
anyway (since foo is not explicitly defined in the MIME map and Apache
will try to guess the filetype by its own).
Beside this known issue we want to point out a less known exploitation
methodology that works on Windows hosts.
------------------------------------------------------------------------
Evolution TNEF Attachment decoder plugin
------------------------------------------------------------------------
The plugin is started on e-mail attachments that have a MIME type of
either application/vnd.ms-tnef or application/ms-tnef. It creates a
temporary directory under ~/.evolution/cache/tmp using the format
tnef-attachment-XXXXXX. The TNEF attachment is saved as
.evo-attachment.tnef.
</html>
</xsl:template>
</xsl:stylesheet>
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>
<xml>
irrelevant
investigation, the vendor determined that the proof-of-concept provided
by Core was actually exploiting a different bug than the one originally
reported and therefore it should be considered a separate security
issue. The URLMON sniffing vulnerability refers to the variant
discovered in the CORE-2008-0826 time line. When loading a local file
Internet Explorer's HTML rendering engine [7] will only check its MIME
type to see if it is a positive match on the files it can handle. For
unknown types that are treated as HTML because they've been referred to
by a redirection, content type determination will default to 'text/html'
in absence of a type explicitly set by the content source. In the case
of non-html files for which there isn't an explicit content-type set,
* Tobias Schlottke reported that the :limit and :offset parameters of
ActiveRecord::Base.find() are not properly sanitized before being
processed (CVE-2008-4094).
* Steve from Coderrr reported that the CRSF protection in
protect_from_forgery() does not parse the text/plain MIME format
(CVE-2008-7248).
* Nate reported a documentation error that leads to the assumption
that a block returning nil passed to
authenticate_or_request_with_http_digest() would deny access to the
(http://www.aos.net.au) reported that the vmfeed module, an insecure
implementation of the insecure VMcasting protocol (http://www.vmcasting.org/)
includes a silent update mechanism that downloads and executes Python code
from Enomaly's corporate web server (http://enomaly.com/fileadmin/eggs/)
over HTTP, without authentication or integrity checks. The code is triggered
when the "application/python-egg" MIME type is encountered.
The module also contains functionality for downloading workloads (virtual
machines) from a feed which is itself retrieved over HTTP. While the VMcasting
protocol (http://www.vmcasting.org/) describes a mechanism for digitally
signing payloads, the mechanism is not implemented and there is no requirement
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2008-3823
Will Drewry discovered that the Horde, allows remote attackers to send
an email with a crafted MIME attachment filename attribute to perform
cross site scripting.
For the stable distribution (etch), this problem has been fixed in
version 3.1.3-4etch4.
attacks (CVE-2008-0416).
The following vulnerability was reported in Thunderbird and SeaMonkey:
* regenrecht (via iDefense) reported a heap-based buffer overflow
when rendering an email message with an external MIME body
(CVE-2008-0304).
The following vulnerabilities were reported in Firefox, SeaMonkey and
XULRunner:
Debian bug : #547318
CVE ID : CVE-2009-3236
Stefan Esser discovered that Horde, a web application framework providing
classes for dealing with preferences, compression, browser detection,
connection tracking, MIME, and more, is insufficiently validating and
escaping user provided input. The Horde_Form_Type_image form element
allows to reuse a temporary filename on reuploads which are stored in a
hidden HTML field and then trusted without prior validation. An attacker
can use this to overwrite arbitrary files on the system or to upload PHP
code and thus execute arbitrary code with the rights of the webserver.
[ Analysis ]
I. Cross Site Scripting
Let's suppose mod_negotiation is enabled and an attacker could upload
a file with arbitrary name and whatever mime extension.
For example a legit jpeg file named:
<img src=sa onerror=eval(document.location.hash.substr(1))>.jpg
Then by requesting it without extension with Accept header set to
file on Chrome's download bar can make it automatically open in IE6, Safari.
See the proof of concept examples below.
V. PROOF OF CONCEPT
-------------------------
1. The MHT, MHTML (MIME HTML) file format is used by Internet Explorer to
embed all external resources, usually images, in a single document.
Basically, whenever you click "Save As" on a web page, this is the default
format used to save it. So, MHT, MHTML files gets automatically opened in IE
when clicked. The exploit I want to discuss is interesting in the context of
IE6 (estimated to be installed on roughly 25% of the computers). For other
to overflow causing Thunderbird to crash. If a user enable Javascript
and was tricked into opening a malicious web page, an attacker could
cause a denial of service or possibly execute arbitrary code with the
privileges of the user invoking the program. (CVE-2008-2785)
Mozilla developers audited the MIME handling code looking for similar
vulnerabilities to the previously fixed CVE-2008-0304, and changed
several function calls to use safer versions of string routines.
Updated packages for Ubuntu 6.06 LTS:
6. *Vendor Information, Solutions and Workarounds*
The vendor did not provide this information. A possible mitigation
action would be to enable MIME type filtering in your IDS/proxies and
block S3DPlayer traffic:
/-----------
application/x-ston3d-stk
Vulnerability information
The appliance is administered by use of a web browser HTML based front
end. The .htaccess file prohibits unauthenticated access to known
HTML management
pages, however other binaries, such as mimencode, are exposed.
By sending a HTTP POST request, it is possible to write arbitrary data
to a default file which has world read-write-execute permissions.
It is then possible to send a HTTP GET request to the written file, to execute
Next Page>>
|
