CAPEC-42 Détail

CAPEC-42

Nom

MIME Conversion

Probabilité d'attaque

Haute

Gravité typique

Haute

Statut

Draft

Publié

2014-06-23
00h00 +00:00

Modifié

2022-09-29
00h00 +00:00

Liens officiels

CAPEC Mitre.org

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Gestion des notifications

Liste des Notifications

Alerte pour un CAPEC

Restez informé de toutes modifications pour un CAPEC spécifique.

Paramètres

Vous pouvez spécifier un titre qui sera récupéré dans les alertes qui seront envoyées.

Spécifiez le CAPEC ID que vous désirez surveiller.

Planifications

Mois

Prochaine exécution calculée

Jour

Jour de la semaine

Heure

Minute

Date de création

Dernière exécution

Prochaine exécution

Fonctionnalité nécessitant une connexion

Cette fonctionnalité qui vous permet de recevoir des alertes, n'est active que lorsque vous êtes connecté à votre compte.

Descriptions du CAPEC

An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Informations du CAPEC

Flux d'exécution

1) Explore

[Identify target mail server] The adversary identifies a target mail server that they wish to attack.

Technique

Use Nmap on a system to identify a mail server service.

2) Explore

[Determine viability of attack] Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).

3) Experiment

[Find injection vector] Identify places in the system where vulnerable MIME conversion routines may be used.

4) Experiment

[Craft overflow content] The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.

Technique

Create malicious shellcode that will execute when the program execution is returned to it.
Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs

4) Exploit

[Overflow the buffer] Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.

Conditions préalables

The target system uses a mail server.
Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.

Compétences requises

It may be trivial to cause a DoS via this attack pattern
Causing arbitrary code to execute on the target system.

Atténuations

Stay up to date with third party vendor patches

Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.

For example, a sendmail.cf file with these changes applied should look similar to (depending on your system and configuration):

Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,

T=DNS/RFC822/X-Unix,
A=mail -d $u

Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,

D=$z:/,
T=X-Unix,
A=sh -c $u

This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying the ".mc" file to include the following lines:

define(`LOCAL_MAILER_FLAGS',

ifdef(`LOCAL_MAILER_FLAGS',

`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))

define(`LOCAL_SHELL_FLAGS',

ifdef(`LOCAL_SHELL_FLAGS',

`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))

and then rebuilding the sendmail.cf file using m4(1).

From "Exploiting Software", please see reference below.

Use the sendmail restricted shell program (smrsh)
Use mail.local

Faiblesses connexes

CWE-ID	Nom de la faiblesse
CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-20	Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Références

REF-1

Exploiting Software: How to Break Code
G. Hoglund, G. McGraw.

REF-364

CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
http://www.cert.org/advisories/CA-1997-05.html

Soumission

Nom	Organisation	Date	Date de publication
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Nom	Organisation	Date	Commentaire
CAPEC Content Team	The MITRE Corporation	2021-10-21 +00:00	Updated Execution_Flow
CAPEC Content Team	The MITRE Corporation	2022-09-29 +00:00	Updated Example_Instances, Mitigations

Détail du CAPEC-42