Vigil@nce: MIME, denial of service by encapsulation
December 2008 by Vigil@nce
SYNTHESIS
An attacker can create an email containing deep MIME
encapsulations in order to create a denial of service in several
applications.
Gravity: 2/4
Consequences: denial of service of service
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 09/12/2008
IMPACTED PRODUCTS
– Microsoft Outlook Express
– Microsoft Windows Mail
– Opera
– SMTP
– Symantec Norton Internet Security
DESCRIPTION
An email can contain several parts separated by MIME headers. Each
part can also contain data encapsulated with MIME headers.
Some software do not limit the number of encapsulation. An
attacker can therefore send an email containing several thousand
parts in order to create a denial of service.
Here is a list of impacted software:
Microsoft Outlook Express 6
Opera Version: 9.51
Norton Internet Security Version 15
Kaspersky Internet Security 2009
This vulnerability type is old, and has for example impacted
Sendmail (VIGILANCE-VUL-5924) and ClamAV (VIGILANCE-VUL-6398 (https://vigilance.fr/tree/1/6398)).
CHARACTERISTICS
Identifiers: BID-32702, CVE-2008-5424, CVE-2008-5425,
CVE-2008-5426, CVE-2008-5427, CVE-2008-5428, VIGILANCE-VUL-8296