CVE-2003-1014
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:39:00
NMCOPS    

[原文]Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use multiple MIME fields with the same name, which may be interpreted differently by mail clients.


[CNNVD]多个供应商MINE封装内容校验滤波器绕过漏洞(CNNVD-200410-059)

        多个内容安全网关和杀毒产品存在漏洞。远程攻击者借助MIME消息来绕过内容限制,该MIME消息使用多个带有相同名称的MIME字段,这些字段可能与邮件客户端说明的不同。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1014
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1014
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-059
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109517732328759&w=2
(UNKNOWN)  BUGTRAQ  20040914 Corsaire Security Advisory - Multiple vendor MIME field multiple occurrence issue
http://www.uniras.gov.uk/vuls/2004/380375/mime.htm
(VENDOR_ADVISORY)  MISC  http://www.uniras.gov.uk/vuls/2004/380375/mime.htm
http://xforce.iss.net/xforce/xfdb/17333
(UNKNOWN)  XF  mime-field-filtering-bypass(17333)

- 漏洞信息

多个供应商MINE封装内容校验滤波器绕过漏洞
高危 其他
2004-10-20 00:00:00 2006-08-22 00:00:00
远程  
        多个内容安全网关和杀毒产品存在漏洞。远程攻击者借助MIME消息来绕过内容限制,该MIME消息使用多个带有相同名称的MIME字段,这些字段可能与邮件客户端说明的不同。

- 公告与补丁

        plDaniels have released ripMime 1.4.0.0 to address this issue.
        F-Secure will be releasing Internet Gatekeeper 6.41 to address this issue in Q4/04.
        plDaniels ripMime 1.2 .0
        
        plDaniels ripMime 1.2.1
        
        plDaniels ripMime 1.2.2
        
        plDaniels ripMime 1.2.3
        
        plDaniels ripMime 1.2.4
        
        plDaniels ripMime 1.2.5
        
        plDaniels ripMime 1.2.6
        
        plDaniels ripMime 1.2.7
        
        plDaniels ripMime 1.3.2 .3
        
        plDaniels ripMime 1.3.2 .0
        
        plDaniels ripMime 1.3.2 .2
        

- 漏洞信息 (F34356)

Corsaire Security Advisory 2003-08-04.2 (PacketStormID:F34356)
2004-09-15 00:00:00
Martin O'Neal,Corsaire  corsaire.com
advisory,virus
CVE-2003-1014
[点击下载]

Corsaire Security Advisory - There are a number of content security gateway and anti-virus products available that provide policy based security functionality. Part of this functionality allows the products to block embedded file attachments based on their specific content type, such as executables or those containing viruses. However, by using malformed MIME encapsulation techniques centered on the presence of multiple occurrences of fields, this functionality can be evaded.

-- Corsaire Security Advisory --

Title: Multiple vendor MIME field multiple occurrence issue
Date: 04.08.03
Application: various
Environment: various
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030804-002


-- Scope --

The aim of this document is to clearly define a MIME content evasion 
issue that affects a variety of products including; browsers, proxy 
servers, email clients, content security gateways and antivirus 
products. 


-- History --

Discovered: 04.08.03 (Martin O'Neal)
CERT/CC notified: 18.08.03
NISCC notified: 24.10.03
Document released: 13.09.04

This advisory has been created from merging Corsaire advisories with 
references c030804-001, c030806-001 and c030806-002.


-- Overview --

There are a number of content security gateway and antivirus products 
available that provide policy based security functionality. Part of this 
functionality allows the products to block embedded file attachments 
based on their specific content type, such as executables or those 
containing viruses. However, by using malformed MIME encapsulation 
techniques centred on the presence of multiple occurrences of fields, 
this functionality can be evaded. 


-- Analysis --

The MIME standards are intended to provide a common mechanism to 
exchange data between systems and are used extensively by protocols such 
as HTTP and SMTP. The structure of a MIME message is defined in RFC2045 
[1], which in turn makes use of concepts introduced in RFC822 [2] 
(superseded by RFC2822 [3]).

The standards define a range of fields that control how data is encoded 
within the transport, and how it should be interpreted by the receiving 
agent. RFC822 states "This specification permits multiple occurrences of 
most fields. Except as noted, their interpretation is not specified 
here, and their use is discouraged."

As usual, this lack of clarity within an RFC has been interpreted in 
various ways by the assorted vendors. For many products, such as email 
clients and browsers, this scope for interpretation might only result in 
some unreliable behaviour. However, for a collection of security 
products, being unaware of the various ways that the standard has been 
interpreted can lead to more serious results, as the products may fail 
to detect a threat within the data stream.

When a receiving agent is presented with a MIME message that contains 
multiple occurrences of a field, it tends to respond in one of four 
broad ways:

- It identifies the MIME message as malformed and blocks it.
- It fails to interpret the MIME field (or message).
- It interprets the first occurrence of a field and ignores all those
  that follow it.
- It interprets the last occurrence of a field and ignores all those
  that precede it.

The first of the four would be the correct behaviour for a security 
conscious product, but based on empirical research this is not the 
common result. 

The MIME field multiple occurrence issue has been observed to affect 
most of the headers, parameters and values defined within the standard. 
To use this issue as an attack mechanism, all that is required is to 
identify a target that has a client agent that interprets the chosen 
MIME field in a different way to any security products that protect it. 


-- Recommendations --

To be effective tools, the security products must not only be able to 
process encoding techniques implemented as per the relevant standard, 
but also common misinterpretations and deliberate corruptions.

As an ongoing process, a study project should be undertaken by the 
vendors to identify applications that routinely decode MIME objects and 
have a liberal interpretation of the MIME standard. 

NISCC have produced a document consolidating a number of vendor 
statements on these issues [4]. Contact your vendor directly to 
establish whether you are affected by these issues.


-- Background --

This issue was discovered using a custom SMTP/HTTP vulnerability 
analysis tool developed by Corsaire's security assessment team. This 
tool is not available publicly, but is an example of the specialist 
approach used by Corsaire's consultants as part of a commercial security 
assessment. To find out more about the cutting edge services provided by 
Corsaire simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-1014 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.faqs.org/rfcs/rfc2045.html
[2] http://www.faqs.org/rfcs/rfc822.html
[3] http://www.faqs.org/rfcs/rfc2822.html
[4] http://www.uniras.gov.uk/vuls/2004/380375/mime.htm


-- Revision --

a. Initial release.
b. Released.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2003 Corsaire Limited. All rights reserved. 
    

- 漏洞信息

10914
Multiple Content Monitor Software Duplicate MIME Field Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-09-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Multiple Vendor MIME Encapsulation Content Checking Filter Bypass Vulnerabilities
Failure to Handle Exceptional Conditions 11157
Yes No
2004-09-13 12:00:00 2009-07-12 07:06:00
Discovery is credited to Martin O'Neal of Corsaire Security.

- 受影响的程序版本

plDaniels ripMime 1.3.2 .3
plDaniels ripMime 1.3.2 .2
plDaniels ripMime 1.3.2 .0
plDaniels ripMime 1.2.7
- FreeBSD FreeBSD 5.0
+ plDaniels Inflex 1.0 .11
plDaniels ripMime 1.2.6
+ plDaniels Inflex 1.0 .11
plDaniels ripMime 1.2.5
+ plDaniels Inflex 1.0 .11
plDaniels ripMime 1.2.4
- FreeBSD FreeBSD 5.0
+ plDaniels Inflex 1.0 .10
plDaniels ripMime 1.2.3
plDaniels ripMime 1.2.2
plDaniels ripMime 1.2.1
plDaniels ripMime 1.2 .0
F-Secure Internet Gatekeeper 6.40 0
F-Secure Internet Gatekeeper 6.32
F-Secure Internet Gatekeeper 6.31
F-Secure Internet Gatekeeper 6.3
Clearswift MailSweeper 4.3.15
Clearswift MailSweeper 4.3.14
Clearswift MailSweeper 4.3.13
Clearswift MailSweeper 4.3.11
Clearswift MailSweeper 4.3.10
Clearswift MailSweeper 4.3.8
Clearswift MailSweeper 4.3.7
plDaniels ripMime 1.4 .0.0

- 不受影响的程序版本

plDaniels ripMime 1.4 .0.0

- 漏洞讨论

Multiple filter bypass vulnerabilities have been reported in numerous software implementations due to ambiguities in MIME encapsulation standards (RFCs 822, and 2045 through 2049).

The following types of software may be impacted by these issues:
- Email clients
- Web clients
- Antivirus products
- Email content filters
- Web content filters

The source of the problem is that affected implementations may not handle malformed or incorrect MIME encapsulated data. As a result, various MIME encapsulation techniques could be used to allow MIME attachments to pass on through when they should be rejected due to being malformed or incorrect. This could have various consequences depending on the implementation, but will also generally require that the client receiving the attachment will be able to interpret the malformed attachment.

A conclusive list of affected implementations is not available at this time. This BID will be updated as more vendor products are determined to be vulnerable.

- 漏洞利用

Corsaire Security have developed test suites to exploit these issues. It is not known if these test suites are publicly available.

- 解决方案

plDaniels have released ripMime 1.4.0.0 to address this issue.

F-Secure will be releasing Internet Gatekeeper 6.41 to address this issue in Q4/04.


plDaniels ripMime 1.2 .0

plDaniels ripMime 1.2.1

plDaniels ripMime 1.2.2

plDaniels ripMime 1.2.3

plDaniels ripMime 1.2.4

plDaniels ripMime 1.2.5

plDaniels ripMime 1.2.6

plDaniels ripMime 1.2.7

plDaniels ripMime 1.3.2 .3

plDaniels ripMime 1.3.2 .0

plDaniels ripMime 1.3.2 .2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站