Vulnerability Development mailing list archives

Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP)

From: nicolas.justin () FREE FR (Nicolas Justin)
Date: Sat, 11 Mar 2000 19:21:45 +0100

 > > Why is my nutscrape parsing the vcard contents as HTML? Is this
 > > intended behaviour?

Yes.  It would be interesting to know for different mail browsers if the
vcard --> HTML translation actually could be exploited, e.g., by inserting
<script> tags in the vcard information, even if Java/Javascript is disabled.

Nicolas Justin writes:
 > Add this lines to your procmailrc
 >   :0
 >   * ^Content-Type.*text/html*
 >   | (formail -r ; echo "You have sent a mail in HTML format, please
 > resend it in plain text format") | /usr/sbin/sendmail -oi -t

Great!  Now we can use Nicolas' email address (and the address of everyone
who takes his advice) as a remailer (possibly then fed to a recipient
amplifier as explained below) -- without waiting for him to go on vacation.

I won't bother posting an exploit script.  :-)

For all you 31337 haxors: I expect this particular address will be
protected by the time this message passes through the moderator.  :-)

 >   :0
 >   * ^Content-Type.*multipart/alternative*
 >   | (formail -r ; echo "You have sent a mail in HTML format, please
 > resend it in plain text format") | /usr/sbin/sendmail -oi -t

There are non-HTML reasons for multipart/alternative.  E.g., PNG vs. JPEG,
different languages and charsets, etc.  Admittedly, text vs. HTML is by far
the most common.

 > So, if you receive a mail in HTML format, it will be trashed and a mail
 > will be sent to the sender.

...and that can be a problem.  IMHO, Mikael Olsson had a better idea: Use a
filter.  It might not be trivial, but there are MIME-parsing packages for
Perl, and I suspect, other languages.

IMHO, auto-reply (if not human-monitored and/or seriously filtered) is an
exploit waiting to happen.  It may work a lot more slowly, but several of
the classic */IP-based attacks translate pretty well.

If the original message is included in its entirety by an auto-responder,
it also becomes fertile ground for volume-amplification -- as opposed
recipient-amplification via mailing lists.  (It looks like Nicolas'
suggestion does *not* do this, but I haven't checked.)

Given the subject of this list (VULN-DEV), I nominate Nicolas for an
honorary tee shirt.  ;^)

        Chuck


It was just an *EXAMPLE*, you have to include some checks, if the mail
come from mailing list...
You have to improve it if you want a real world solution ;)
I have use this script on my university computer for protected my
mailbox.
It was just a suggestion, not a real secure script !

bye.

--
____________________________________________
Nicolas Justin  -  nicolas.justin () free fr
http://surf.to/linux-fr

Current thread:

Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Chuck Phillips (Mar 11)
- Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Nicolas Justin (Mar 11)