Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Bernhard Brehm (bruhnsrecurity-labs.com)
Date: Mon Dec 08 2008 - 16:56:05 CST
> You want *real* loads of fun? Go read up on message/partial ;)
You're right. The RFCs do read like fun. I did some testing on DoS
attacks with message/partial before I found the other problems. However,
most applications refuse to reassemble messages.
The situation is quite similiar to the reason, why MTAs like sendmail
are no real target for such attacks: No server should try to convert
8bit encoding to 7bit encoding any more. Nobody needs to split a message
into several parts for transfer and expects the mailclient to reassemble
the parts. Not all pieces of MIME-related software really need to
understand these rather obscure content-types.
Another grateful target is multipart/related (rfc2387) in combination
with text/html. Once the problems with nesting and overly large
multiparts are resolved, you will want to look there for more bugs. One
type of attacks to be found there is to cause quadratic or worse memory
consumption at the target (quadratic with respect to the email size)-
quite similiar to Fefe's 42.zip or all these webbrowser DoS things with
But, you do not need to look at obscure content-types in order to mount
effective DoS attacks. The two PoC mails nesty and multikill are very
basic and simple and effective. Try them on your mail system! Every
application needs to understand the multipart/mixed content-type, there
is no way of refusing to parse it. Many applications in your system try
to parse MIME: Spamfilters (at least old versions of spam assassin used
to crash), antivirus, webmail servers, mailing list software (at least
old versions of mailman used to crash), email clients, 3-letter-agencies
(who knows?), msn-messenger (really!), mayhaps some IPS.
> "Nesty" and "multikill" were already recognized as a potential issue all the
> way back in 1996. Mike Weston worries about thousands of bodyparts, and Ned
> Freed thought that deep nesting was more likely to be an issue:
Thanks! That's quite an early reference and by one of the original
authors of MIME.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/