Dark Mode
Capec-42 Detail
MIME Conversion
Detailed Software Likelihood: High Typical Severity: High
Parents: 100
Threats: T62
Not present
| External ID | Source | Link | Description |
|---|---|---|---|
| CAPEC-42 | capec | https://capec.mitre.org/data/definitions/42.html | |
| CWE-120 | cwe | http://cwe.mitre.org/data/definitions/120.html | |
| CWE-119 | cwe | http://cwe.mitre.org/data/definitions/119.html | |
| CWE-74 | cwe | http://cwe.mitre.org/data/definitions/74.html | |
| CWE-20 | cwe | http://cwe.mitre.org/data/definitions/20.html | |
| REF-1 | reference_from_CAPEC | G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley | |
| REF-364 | reference_from_CAPEC | http://www.cert.org/advisories/CA-1997-05.html | CERT Advisory CA-1997-05 MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4, Software Engineering Institute: Carnegie Mellon University |
Explore
-
Identify target mail server: The adversary identifies a target mail server that they wish to attack.
-
Determine viability of attack: Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).
| Techniques |
|---|
| Use Nmap on a system to identify a mail server service. |
Experiment
-
Find injection vector: Identify places in the system where vulnerable MIME conversion routines may be used.
-
Craft overflow content: The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.
| Techniques |
|---|
| Create malicious shellcode that will execute when the program execution is returned to it. |
| Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs |
Exploit
-
Overflow the buffer: Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.
- The target system uses a mail server.
- Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.
Not present
| Low | High |
|---|---|
| It may be trivial to cause a DoS via this attack pattern | |
| Causing arbitrary code to execute on the target system. |
| Integrity | Availability | Authorization | Access Control | Confidentiality |
|---|---|---|---|---|
| Execute Unauthorized Commands (Run Arbitrary Code) | Execute Unauthorized Commands (Run Arbitrary Code) | Gain Privileges | Gain Privileges | Execute Unauthorized Commands (Run Arbitrary Code) |
| Modify Data | Unreliable Execution | Gain Privileges |
- A MIME conversion buffer overflow exists in Sendmail versions 8.8.3 and 8.8.4. Sendmail versions 8.8.3 and 8.8.4 are vulnerable to a buffer overflow in the MIME handling code. By sending a message with specially-crafted headers to the server, a remote attacker can overflow a buffer and execute arbitrary commands on the system with root privileges. Sendmail performs a 7 bit to 8 bit conversion on email messages. This vulnerability is due to the fact that insufficient bounds checking was performed while performing these conversions. This gave attacker an opportunity to overwrite the internal stack of sendmail while it is executing with root privileges. An attacker first probes the target system to figure out what mail server is used on the system and what version. An attacker could then test out the exploit at their leisure on their own machine running the same version of the mail server before using it in the wild.See also: CVE-1999-0047