SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  RipMIME Vendors:  Daniels, Paul L.
RipMIME MIME Decoder Buffer Overflow Allows For Code Execution During Decoding
Date:  Jan 31 2002
Impact:  Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.26 and prior versions
Description:  A buffer overflow vulnerability was reported in the RipMIME MIME decoder. Arbitrary code may be executed during the decoding process.

It is reported that arbitrary code may possibly be executed when decoding a file with an exceptionally long file name. No further technical details were provided.

By itself, a local user could trigger the vulnerability to potentially execute arbitrary code with the same privileges that the user already has (which, by itself, does not create a risk scenario). However, it is reported that RipMIME is used in other applications, such as mail gateways or anti-virus products. In that case, it may be possible for a remote user to send a file through the product to trigger the vulnerability and potentially execute arbitrary code on the system with the privileges of the product using RipMIME.

A simple local demonstration exploit command is provided:

./ripmime -i mail -d `perl -e 'print "A" x 255'`
Impact:  A remote user may be able to exploit a product that uses RipMIME to execute arbitrary code on the system with the privileges of the process running RipMIME.
Solution:  The vendor has released a fixed version (1.2.7 or more recent), available at:

http://www.pldaniels.com/ripmime/#downloads
Vendor URL:  www.pldaniels.com/ripmime/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  KF <dotslash@snosoft.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 22 Jan 2002 15:33:16 -0500
From:  KF <dotslash@snosoft.com>
Subject:  pldaniels - ripMime 1.2.6 and lower?

 

This is a multi-part message in MIME format.
--------------070107090806050208080406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------070107090806050208080406
Content-Type: text/plain;
 name="ripmime-overflow.txt"
Content-Transfer-Encoding: 8bit            
Content-Disposition: inline;
 filename="ripmime-overflow.txt"

ripMime mail filter remote / local overflows. At least version 1.2.6 
vendor: http://www.pldaniels.com/ripmime/
Details:
CHANGELOG - 15/11/2001 - 20H57 - v1.2.7 Corrected buffer overflow problems with exceptionally long fi
le names. Corrected filename
length problems with OS level fread/write calls.

FreeBSD/ports/mail/ripmime/pkg-descr 
 The FreeBSD Ports Collection ("mail/ripmime")
 You are now in the directory for the port "mail/ripmime" (package name "ripmime-1.2.4"
).
 This is the one-line description for this port:
 Extracts attached files out of a MIME encoded email package

Based on the above info ripmime is part of the FreeBSD ports collection as far as I can tell...
I am not totally sure what it is used for becasue its poster application is Commercial and I 
do not have a copy of the software "XaMime". I do know however that somehow it interfaces w
ith 
sendmail to strip attachments or filter their content. I have been able to cause a core dump via 
2 methods one requires no user intervention and can be done remotely, however it does not yeild 
an overwrite of the eip. The second method which I explain below could yeild a shell under some 
circumstances perhaps locally, again I do not know what the full potential use of ripmime is.

One possible use is in the above mentioned Commercial application located at:
XaMime | Examine your e-mails
XaMime Mail and Virusfilter
URL: http://www.xamime.de/ or  http://www.xamime.com
It is some sort of commercial solution for email filtering. 

ripMime also comes as part of the inflex package used for filtering virii from attachments etc on uni
x boxen.
http://www.spyda.co.za/inflex/mainpage.html or http://www.pldaniels.com/inflex/

Here is an example of the issues at hand
./ripmime -i mail -d `perl -e 'print "A" x 255'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC