CAPEC-42: MIME Conversion
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
执行流程
步骤 1 Explore
[Identify target mail server] The adversary identifies a target mail server that they wish to attack.
- Use Nmap on a system to identify a mail server service.
步骤 2 Explore
[Determine viability of attack] Determine whether the mail server is unpatched and is potentially vulnerable to one of the known MIME conversion buffer overflows (e.g. Sendmail 8.8.3 and 8.8.4).
步骤 3 Experiment
[Find injection vector] Identify places in the system where vulnerable MIME conversion routines may be used.
步骤 4 Experiment
[Craft overflow content] The adversary crafts e-mail messages with special headers that will cause a buffer overflow for the vulnerable MIME conversion routine. The intent of this attack is to leverage the overflow for execution of arbitrary code and gain access to the mail server machine, so the adversary will craft an email that not only overflows the targeted buffer but does so in such a way that the overwritten return address is replaced with one of the adversary's choosing.
- Create malicious shellcode that will execute when the program execution is returned to it.
- Use a NOP-sled in the overflow content to more easily "slide" into the malicious code. This is done so that the exact return address need not be correct, only in the range of all of the NOPs
步骤 4 Exploit
[Overflow the buffer] Send e-mail messages to the target system with specially crafted headers that trigger the buffer overflow and execute the shell code.
前提条件
- The target system uses a mail server.
- Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system.
所需技能
后果影响
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Commands
说明: Run Arbitrary Code
影响范围: Integrity
技术影响: Modify Data
影响范围: Availability
技术影响: Unreliable Execution
影响范围: Confidentiality Access Control Authorization
技术影响: Gain Privileges
缓解措施
Stay up to date with third party vendor patches
Use the sendmail restricted shell program (smrsh)
Use mail.local
示例实例
See also: CVE-1999-0047