HighProventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, BlackICE Agent for Server, RealSecure Guard, RealSecure Sentry, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:
This signature parses the file name associated with the Content-Type and Content-Disposition fields in MIME headers. When the file name exceeds a configurable threshold, the signature triggers. This condition mostly occurs in email messages but is possible in any protocol that accepts and transmits MIME encoded documents (e.g., HTTP).
This signature detects when an excessively long MIME filename is specified over the SMTP protocol.
This anomaly signature parse the file name associated with the Content-Type and Content-Disposition fields in MIME headers. When the file name exceeds configurable threshold, then signature triggers. This condition mostly occurs in email message but is possible in any protocol that accepts and transmits MIME encoded documents (e.g., HTTP).
High
Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Desktop: 8.0.614.1, BlackICE Agent for Server: 3.6, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, Virtual Server Protection for Vmware: 1.0
Various vendors Any application, Unix Unix, Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98
Unauthorized Access Attempt
Many popular MIME-compliant email clients are vulnerable to a denial of service attack caused by a buffer overflow in the handling of certain headers. By sending a specially-crafted mail message, an attacker can overflow a buffer and crash another user's client. It may be possible to use this vulnerability to execute arbitrary commands on the victim's computer.
Upgrade to the latest version of Sendmail (8.9.1a or later), as listed in CERT Advisory CA-1998-10. See References.
For Microsoft Outlook:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS98-008. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Microsoft Security Bulletin MS98-008
Update Available For Long file name Security Issue
http://www.microsoft.com/technet/security/bulletin/ms98-008.mspx
AusCERT Advisory AA-98.04
Sendmail, Inc. Patch for MIME Buffer Overflows
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.04.sendmail.MIME.patches
Sendmail 8.9.1a patch
MIME Buffer Overflows
ftp://ftp.sendmail.org/pub/sendmail/past-releases/sendmail.8.9.1a.patch.README
CERT Advisory CA-1998-10
Buffer Overflow in MIME-aware Mail and News Clients
http://www.cert.org/advisories/CA-1998-10.html
Sun Microsystems, Inc. Security Bulletin #00175
mailtool
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/175&type=0&nav=sec.sba
CERT Vulnerability Note VU#5648
Buffer Overflows in various email clients
http://www.kb.cert.org/vuls/id/5648
Netscape Security Update, August 14, 1998
Long Filename Mail Vulnerability
http://home.netscape.com/security/notes/previous/longfile.html
CIAC Information Bulletin I-077b
Mime Name Vulnerability in Outlook and Messenger
http://www.ciac.org/ciac/bulletins/i-077b.shtml
AusCERT Advisory AA-98.02
Microsoft Outlook Overrun Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow
ISS X-Force
MIME-compliant email client attachment buffer overflow
http://www.iss.net/security_center/static/1217.php
CVE
CVE-1999-0004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0004