Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 22 Aug 2014 01:26:48 -0400
From: Phil Pennock <oss-security-phil@...dhuis.org>
To: oss-security@...ts.openwall.com
Subject: Re: SaltStack 2014.1.10 released

On 2014-08-21 at 19:02 +0200, Kristian Fiskerstrand wrote:
> On 08/21/2014 07:00 PM, Kurt Seifried wrote:
> > Ok several people replied privately now, Thunderbird definitely
> > has issues with this, and one person reports apple mail can't see
> > it either. Perhaps we found a new way to send stealthy emails? ;)
> 
> Not sure if it is new - from a quick glance it looks like the email in
> question is missing a MIME boundary before the body.

Kristian is right; slightly disappointing that it took so many mails for
someone to just look at the structure and report on the root cause,
instead of just trying to see how various different clients handle a
"dodgy" message.  Memo to self: I know how to spread malware amongst the
security community, now.

Per specification for multipart/* types, if there is content before the
first MIME boundary then it is deliberately not displayed by
MIME-capable email clients; this is usually used by user-agents to
insert a "this message is MIME, upgrade your ancient client" type of
message, but even that is rare today.

Given a boundary defined as "foo" then the message is divided up into
sections ("body parts") by lines "\r\n--foo\r\n" and ending with a final
line "\r\n--foo--\r\n".

When the first boundary line got dropped, the content of the message
became preamble.  The definition is in RFC2046.  The definition for
OpenPGP in MIME is in RFC3156, which states:

----------------------------8< cut here >8------------------------------
   The multipart/signed body MUST consist of exactly two parts.  The
   first part contains the signed data in MIME canonical format,
   including a set of appropriate content headers describing the data.

   The second body MUST contain the OpenPGP digital signature.  It MUST
   be labeled with a content type of "application/pgp-signature".
----------------------------8< cut here >8------------------------------

So: message as posted to list was malformed, something dropped a
significant line; every MIME compliant mail-client, by deliberate
design, dropped everything before the first boundary line, so yes this
is a way to sneak through messages.  The only MIME part left was a
signature, which is a protocol violation, and so the behaviours observed
are just "how do mail-clients report malformed signed messages".

-Phil

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ