| Name |
MIME Conversion |
|
| Likelyhood of attack |
Typical severity |
| High |
High |
|
| Summary |
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back. |
| Prerequisites |
The target system uses a mail server. Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system. |
| Execution Flow |
| Step |
Phase |
Description |
Techniques |
| 1 |
Explore |
[Identify target mail server] The adversary identifies a target mail server that they wish to attack. |
- Use Nmap on a system to identify a mail server service.
|
| 2 |
Explore |
[Determine viability of attack] Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4). |
|
| 3 |
Experiment |
[Find injection vector] Identify places in the system where vulnerable MIME conversion routines may be used. |
|
| 4 |
Exploit |
[Overflow the buffer] Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code. |
|
|
| Solutions | Stay up to date with third party vendor patches From "Exploiting Software", please see reference below. Use the sendmail restricted shell program (smrsh) Use mail.local |
| Related Weaknesses |
|
CWE ID
|
Description
|
| CWE-20 |
Improper Input Validation |
| CWE-74 |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-119 |
Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
|
| Related CAPECS |
|
CAPEC ID
|
Description
|
| CAPEC-100 |
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice. |
|