HighProventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, BlackICE Agent for Server, RealSecure Guard, RealSecure Sentry, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:
This signature detects a long MIME filename transferred over the POP3 protocol, which may indicate an attacker's attempt to overflow a buffer and execute code on a mail server. The signature triggers on the configurable threshold 'pam.mime.filename.limit' (default 256).
This signature detects a long MIME filename. This may indicate an attacker's attempt to overflow a buffer and execute code on a server.
Proventia Network IPS, Proventia Server IPS for Linux technology, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware: Non-malicious long filenames can be somewhat common in some environments, and may cause this signature to trigger.
High
Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Desktop: 8.0.614.1, BlackICE Agent for Server: 3.6, RealSecure Guard: 3.6, RealSecure Sentry: 3.6, BlackICE PC Protection: 3.6.cbd, BlackICE Server Protection: 3.6.cbd, RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, Virtual Server Protection for Vmware: 1.0
Various vendors Any application, Unix Unix, Microsoft Windows 95, Microsoft Windows NT: 4.0, Microsoft Windows 98
Unauthorized Access Attempt
Many popular MIME-compliant email clients are vulnerable to a denial of service attack caused by a buffer overflow in the handling of certain headers. By sending a specially-crafted mail message, an attacker can overflow a buffer and crash another user's client. It may be possible to use this vulnerability to execute arbitrary commands on the victim's computer.
Upgrade to the latest version of Sendmail (8.9.1a or later), as listed in CERT Advisory CA-1998-10. See References.
For Microsoft Outlook:
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS98-008. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
Microsoft Security Bulletin MS98-008
Update Available For Long file name Security Issue
http://www.microsoft.com/technet/security/bulletin/ms98-008.mspx
AusCERT Advisory AA-98.04
Sendmail, Inc. Patch for MIME Buffer Overflows
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.04.sendmail.MIME.patches
Sendmail 8.9.1a patch
MIME Buffer Overflows
ftp://ftp.sendmail.org/pub/sendmail/past-releases/sendmail.8.9.1a.patch.README
CERT Advisory CA-1998-10
Buffer Overflow in MIME-aware Mail and News Clients
http://www.cert.org/advisories/CA-1998-10.html
Sun Microsystems, Inc. Security Bulletin #00175
mailtool
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/175&type=0&nav=sec.sba
CERT Vulnerability Note VU#5648
Buffer Overflows in various email clients
http://www.kb.cert.org/vuls/id/5648
Netscape Security Update, August 14, 1998
Long Filename Mail Vulnerability
http://home.netscape.com/security/notes/previous/longfile.html
CIAC Information Bulletin I-077b
Mime Name Vulnerability in Outlook and Messenger
http://www.ciac.org/ciac/bulletins/i-077b.shtml
AusCERT Advisory AA-98.02
Microsoft Outlook Overrun Vulnerability
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow
ISS X-Force
MIME-compliant email client attachment buffer overflow
http://www.iss.net/security_center/static/1217.php
CVE
CVE-1999-0004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0004