| Attack Pattern ID | Pattern Abstraction: Detailed 42 |
| Typical Severity | High |
| Description | Summary
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Attack Execution Flow
Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).
Identify places in the system where vulnerable MIME conversion routines may be used.
Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shellcode.
|
| Attack Prerequisites |
The target system uses a mail server.
Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.
|
| Typical Likelihood of Exploit |
High
|
| Methods of Attack | |
| Examples-Instances | Description Attack Example: Sendmail Overflow
A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.
Related Vulnerability |
| Attacker Skill or Knowledge Required |
Low: It may be trivial to cause a DoS via this attack pattern
High: Causing arbitrary code to execute on the target system.
|
| Resources Required | |
| Probing Techniques |
The first step is to figure what mail server (and what version) is running on the target system.
|
| Solutions and Mitigations | Stay up to date with third party vendor patches
Disable the 7 to 8 bit conversion. This can be done by removing the F=9 flag from all Mailer specifications in the sendmail.cf file.
For example, a sendmail.cf file with these changes applied should look
similar to (depending on your system and configuration):
Mlocal, P=/usr/libexec/mail.local, F=lsDFMAw5:/|@qrmn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=mail -d $u
Mprog, P=/bin/sh, F=lsDFMoqeu, S=10/30, R=20/40,
D=$z:/,
T=X-Unix,
A=sh -c $u
This can be achieved for the "Mlocal" and "Mprog" Mailers by modifying
the ".mc" file to include the following lines:
define(`LOCAL_MAILER_FLAGS',
ifdef(`LOCAL_MAILER_FLAGS',
`translit(LOCAL_MAILER_FLAGS, `9')',
`rmn'))
define(`LOCAL_SHELL_FLAGS',
ifdef(`LOCAL_SHELL_FLAGS',
`translit(LOCAL_SHELL_FLAGS, `9')',
`eu'))
and then rebuilding the sendmail.cf file using m4(1).
From "Exploiting Software", please see reference below.
Use the sendmail restricted shell program (smrsh)
Use mail.local
|
| Attack Motivation-Consequences | - Run Arbitrary Code
- Data Modification
- Denial of Service
- Privilege Escalation
|
| Context Description |
Content-Based Buffer Overflow
Data files are ubiquitous. They are used to store everything from documents to content media and critical computer settings. Every file has an inherent format that often encompasses special information such as file length, media type, and which fonts are boldface, all encoded directly in the data file. The attack vector against data files like these is simple: Mess up the data file and wait for some unsuspecting user to open it.
Some kinds of files are strikingly simple and others have complex binary structures and numerical data embedded in them. Sometimes the simple act of opening a complex file in a hex editor and tweaking a few bytes is enough to cause the (unsuspecting) program that consumes the file to crash and burn.
|
| Injection Vector |
The especially formated e-mail message whose body is put together in a way as to trigger the MIME conversion buffer overflow in the 7 to 8 bit MIME conversion function.
|
| Payload |
The shellcode included as part of the e-mail message body that is executed on the target system with root privileges after the stack based buffer overflow in the 7 to 8 bit MIME conversion function is leveraged.
|
| Activation Zone |
The function performing 7 to 8 bit MIME conversion.
|
| Payload Activation Impact | |
| Related Weaknesses | | CWE-ID | Weakness Name | Weakness Relationship Type |
|---|
| 120 | Unbounded Transfer ('Classic Buffer Overflow') | Targeted | | 119 | Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer | Targeted | | 74 | Failure to Sanitize Data into a Different Plane (aka 'Injection') | Targeted | | 20 | Insufficient Input Validation | Secondary |
|
| Related Vulnerabilities | | Vulnerability-ID | Vulnerability Description |
|---|
| CVE-1999-0047 | A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges.
Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild. |
|
| Related Security Principles | |
| Purpose | Penetration Exploitation |
| CIA Impact | | Confidentiality Impact | Integrity Impact | Availability Impact |
|---|
| High | High | High |
|
| Technical Context | | Architectural Paradigm | Framework | Platform | Language |
|---|
| All | All | All | All |
|
| References | G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004.
CERT Advisory CA-1997-05, "MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4". Available at: http://www.cert.org/advisories/CA-1997-05.html
|
| Source | | Submission(s) |
|---|
| Submitter | Organization | Date | Comment |
|---|
| G. Hoglund and G. McGraw. Exploiting Software: How to Break Code. Addison-Wesley, February 2004. | Cigital, Inc | 2007-03-01 | |
| Modification(s) |
|---|
| Modifier | Organization | Date | Comment |
|---|
| Eugene Lebanidze | Cigital, Inc | 2007-02-26 | Fleshed out content to CAPEC schema from the original descriptions in "Exploiting Software" | | Sean Barnum | Cigital, Inc | 2007-03-05 | Review and revise |
|
