Name |
MIME Conversion |
|
Likelyhood of attack |
Typical severity |
High |
High |
|
Summary |
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back. |
Prerequisites |
The target system uses a mail server. Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system. |
Execution Flow |
Step |
Phase |
Description |
Techniques |
1 |
Explore |
Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4). |
|
2 |
Explore |
Identify places in the system where vulnerable MIME conversion routines may be used. |
|
3 |
Exploit |
Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code. |
|
|
Solutions | Stay up to date with third party vendor patches From "Exploiting Software", please see reference below. Use the sendmail restricted shell program (smrsh) Use mail.local |
Related Weaknesses |
CWE ID
|
Description
|
CWE-20 |
Improper Input Validation |
CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
Related CAPECS |
CAPEC ID
|
Description
|
CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|