[Esa-l] HTML.dropper (fwd)

Bjarni R. Einarsson bre at klaki.net
Thu Jan 18 00:46:24 PST 2001

On 2001-01-18, 00:09:06 (-0800), John D. Hardin wrote:
> How in the world could MS possibly have written the mail program such
> that it would interpret a long subjcet as an attachment name? BO,

It's User Friendly! :)

> So what do we do? Arbitrarily limit all headers to 256 characters?

I think this particular problem can be defanged simply by *appending*
the word "DEFANGED" to unusually long subject lines.  Hopefully few
mailers will make stupid assumptions about subject lengths, but
appending this word will remove any odd chance that the Subject's last
few characters get interpreted as an extension name.

Actually, though, I'm somewhat sceptical of the validity of the Bugtraq
post you quoted.  I suspect the Subject: line isn't really important
here - what's important is that Microsoft products tend to ignore MIME
types, when it comes to actually executing/displaying something.

For example, it has long been known that Internet Explorer will ignore
the MIME type of a file it downloads.  Just try renaming one of your
web pages to .txt and viewing it.  It'll still appear as HTML.  

So my theory is:

 1. MIME type dictates icon, in the example case image/gif
 2. "Magic" check on contents dictates how it is run - which 
    is *not* image/gif in this exploit.  It may be that fixing
    the Subject line provides some of the info used by the "magic"
    check - but this exploit may *not* depend on the contents of
    the Subject line alone.

This brings me back full-circle to my previous ponderings on making
my sanitizer do magic checks of it's own, and reject, mangle or defang 
messages where the actual contents don't match the MIME headers...
which is hard to do, but would work against this sort of stupidity.

Of course, verifying this little theory of mine will take some
expirimentation.  I'm going to try a few things at work today, I'll let
you all know how it goes.

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list