procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Help! Need to use procmail to fight dangerous security exploit

1998-08-18 00:50:33
from [jari.aalto] [Permanent Link] 
|Wed 1998-07-29 mark david mcCreary <mdm(_at_)internet-tools(_dot_)com> 
list.procmail
| >Literally millions of users worldwide may soon get bit by the MIME
| >filename buffer
| >overflow bug described at
| >
| >http://www.sjmercury.com/business/microsoft/docs/security0728.htm
| >
| >This bug is particularly insidious because it can be exploited via
| >by spamming software and could impact millions of users in a very short
| >time.
| >
| >I would like to try to use procmail to plug the hole at the mail server,
| >by truncating the excessively long file names in the MIME headers.

Thank you. I read the whole thread and I'm sure Era was right suggesting
that:

        [era] I believe that the problem isn't really that the
        filename is over the allowed length for some platform (Macintoshes
        allow something like 27 characters if memory serves) but a bug in
        how some particular email clients allocate memory for the file name
        string (but I am really only speculating here).

So the MUA software that is used to display the MIME message is the
culprit. I Use Emacs to handle MIME, so it has no such threats, so poor
Microsoft software may get upset and allocate too little space.

So, this has nothing to do with mail or it's content. Procmail can
handle as big messages as you have system and virtual memory. The
only thing you can make Procmail overflow is, when you try to match 
too much and your LINEBUF setting is too short. Bute then you made it
to happen yourself :-)

Disd you have any questions about this issue? I even added Note 
to the pm-jamime.rc in case someone wants to be paranoid:

  Pm-jamime.rc -- subroutine to read mime boundary etc. variables

    [...] 

    Mime Notes
 
        1998-07-28 Brett Glass <brett(_at_)lariat(_dot_)org> reported in PM-L 
that
        there was security exploit in long attachement filenames:
        http://www.xray.mpe.mpg.de/mailing-lists/procmail/1998-07/msg00248.html
 
        And here is the url to the matter:
 
        http://www.sjmercury.com/business/microsoft/docs/security0728.htm
 
 
        When you use this module to detect mime messages, you can check the
        filename length with recipe:
 
            #  Recipe after calling $RC_MIME, this module,
 
            re       = ".........."     # regexp with 10 matches
            too_long = "$re$re$re$re"   # allow 40 characters maximum
 
            :0
            *$ $SUPREME^0  MIME_H_ATTACHEMENT ?? $re
            *$ $SUPREME^0  MIME_B_ATTACHEMENT ?? $re
            {
                dummy = "** Dangerously long mime attachement filename"
                dummy = "** $MIME_H_ATTACHEMENT $MIME_B_ATTACHEMENT"
 
                :0 :
                /var/spool/mail/MimeDanger
            }


jari
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: tcsh, Lyle D. Sanders
Next by Date:  LOG= entries in logfile, Fred Donck
Previous by Thread:  Re: Help! Need to use procmail to fight dangerous security exploit, Walter Dnes
Next by Thread:  Re: Help! Need to use procmail to fight dangerous security exploit, Christopher Lindsey
Indexes:  [Date] [Thread] [Top] [All Lists]