|Name ||MIME Conversion |
|Summary ||An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back. |
|Prerequisites ||The target system uses a mail server.
Mail server vendor has not released a patch for the MIME conversion routine, the patch itself has a security hole or does not fix the original problem, or the patch has not been applied to the user's system. |
|Solutions ||Stay up to date with third party vendor patches
From "Exploiting Software", please see reference below.
Use the sendmail restricted shell program (smrsh)
Use mail.local |
|CWE ID ||Description |
|CWE-20 ||Improper Input Validation |
|CWE-74 ||Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|CWE-119 ||Improper Restriction of Operations within the Bounds of a Memory Buffer |
|CWE-120 ||Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |