Re: base64

To: BugTraq@xxxxxxxxxxxxxxxxx
Subject: Re: base64
From: Birl <sbirl@xxxxxxxxxx>
Date: Tue, 23 Sep 2003 12:18:31 -0400 (EDT)
Importance: Normal
In-reply-to: <E1A1Q8d-0004A3-00.alienhard-mail-ru@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <E1A1Q8d-0004A3-00.alienhard-mail-ru@xxxxxxxxxx>
Reply-to: BugTraq@xxxxxxxxxxxxxxxxx
Sensitivity: Normal

As it was written on Sep 22, thus "Ilya Teterin"  typed:

alienhard:  Consider we decoding data which contains padding character
alienhard:  ('=') at the unexpected place. What we should do with such
alienhard:  data? The specification of base64 decoding does not tell us
alienhard:  what we MUST or even MAY do with such data... So, we can do
alienhard:  anything we like to do:
alienhard:
alienhard:  1. threat padding character as end of the encoded data
alienhard:  2. ignore padding character
alienhard:  3. decode padding character as well as some other character from 
base64 alphabet
alienhard:  4. do something else ;-)
alienhard:
alienhard:  I have tested some popular implementations (such as email
alienhard:  clients, GNU utilities, RTL and other development's
alienhard:  libraries). All items (1)-(4) are actually present.
alienhard:
alienhard:  Is it dangerous? Sure. Consider antiviral software, which
alienhard:  implements behaviour (1), and e-mail client, which implements
alienhard:  behaviour (2). Attacker can insert padding character in the
alienhard:  beginning of the encoded data, and antiviral software will
alienhard:  think encoded data is empty. But e-mail client will think
alienhard:  differentother way ;-) So, bypassing of content-filtering and
alienhard:  antiviral protection is obvious subject for this issue.
alienhard:
alienhard:  How to solve this issue? I believe we should rewrite at least
alienhard:  filtering systems to block malformed base64-encoded data
alienhard:  because we don't know is it malicious or not. Otherwise, we
alienhard:  can meet new powerful e-mail worm.
alienhard:
alienhard:  -----
alienhard:  "Will research information security for food!"


Excuse my ignorance.  I tried to pook around some B64 attachements in my
email files for an answer.


Are you stating that an =

1) should not appear in B64 at all
2) should not appear in the middle of a line, but only at the EOLN
3) should only appear at the end of a B64 file


Answering that question could help me better determine how to write a
procmail filter for this.


Next question:  Does the = actually corrupt an attachment, assuming it's a
                legimate B64 file, or does the decode still succeed?

Thanks
Birl

Follow-Ups:
- Re: base64
  - From: Lothar Kimmeringer

References:
- base64
  - From: "Ilya Teterin"

Prev by Date: RE: base64
Next by Date: Re: Does VeriSign's SiteFinder service violate the ECPA?
Previous by thread: Re: base64
Next by thread: Re: base64
Index(es):
- Date
- Thread