Mailing List Archive: ripmime 1.4.0.0 freezing up on decoding certain attachment

ripmime 1.4.0.0 freezing up on decoding certain attachment

gauze at dropdead

Sep 29, 2004, 8:20 AM

Post #1 of 6 (5019 views)

Hi list,
I have an attachment that is getting stuck (using qscan w/ clamav btw, not
important here though) ripmime just hangs after 91138 bytes processed.
strace isn't helping me in this case (just stops suddenly I can't figure
out why, strace -p pid shows no output at all), gdb it runs and when I break
after it looks up I get this:

0x08054b89 in OLE_follow_chain (ole=0xbffec1e0, FAT_sector_start=0)
at ole.c:952
952 if (next_sector_location > (ole->FAT_limit -4)) break;

So I assume there is a loop here it can't break out of. Ok I looked at the
source, there is a do{}while block (line 947-969) it's stuck in just
looking at it I can't figure out what it's doing exactly.

Oh I just found --debug switch ... looks like it's looping forever here:

[snip]
ole.c:957:OLE_follow_chain:DEBUG: 0xA:10)->(0xB:11)
ole.c:957:OLE_follow_chain:DEBUG: 0xB:11)->(0xC:12)
ole.c:957:OLE_follow_chain:DEBUG: 0xC:12)->(0xA:10)
ole.c:957:OLE_follow_chain:DEBUG: 0xA:10)->(0xB:11)
ole.c:957:OLE_follow_chain:DEBUG: 0xB:11)->(0xC:12)
ole.c:957:OLE_follow_chain:DEBUG: 0xC:12)->(0xA:10)
etc

I have to admit lack of skill might be holding me back from cracking this
one, I offer the mail message here:

http://www.gloom.org/~gauze/ripmime-example

this file is 397526 bytes in size.

this is ripmime 1.4.0.0 btw. running with --verbose-defects produces no
output. Current dev tarball on site has no changes to this loop.

Please note this attachment could be a virus of some sort I have no idea I
just saw 2 copies of ripmime hung in my mail queue.

Thank you,
brian
--
Never be afraid to tell the world who you are.
-- Anonymous
10:00:02 up 20 days, 12 min, 10 users, load average: 0.49, 0.25, 0.20
_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general

Re: ripmime 1.4.0.0 freezing up on decoding certain attachment [ In reply to ]

pldaniels at pldaniels

Sep 29, 2004, 8:28 AM

Post #2 of 6 (4818 views)

G'day Gaw,

Have a go with the 1.4-dev release, available at:

http://pldaniels.com/ripmime/ripmime-1.4.dev.tar.gz

I did fix up a couple of tight-loop situations like that recently, though they were all different.

Failing that working, try run with --no-ole in the parameter list

Paul.

--
PLDaniels - Software - Xamime
Unix systems Internet Development A.B.N. 19 500 721 806
PGP Public Key at http://www.pldaniels.com/gpg-keys.pld

_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general

Re: ripmime 1.4.0.0 freezing up on decoding certain attachment [ In reply to ]

pldaniels at pldaniels

Sep 29, 2004, 8:31 AM

Post #3 of 6 (4836 views)

I just tried the 1.4-dev on your mailpack, no luck, also loops.

For now, add --no-ole to your ripMIME parameter list. It's 01H31 here so I'm going to go get some sleep, when I wake up
in the morning I'll fix this for you.

Paul.

--
PLDaniels - Software - Xamime
Unix systems Internet Development A.B.N. 19 500 721 806
PGP Public Key at http://www.pldaniels.com/gpg-keys.pld

_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general

Re: ripmime 1.4.0.0 freezing up on decoding certain attachment [ In reply to ]

gauze at dropdead

Sep 29, 2004, 8:36 AM

Post #4 of 6 (4827 views)

On Thu, 30 Sep 2004, Paul L Daniels wrote:

> G'day Gaw,

my name is actually brian (so's not to confuse the issue) Gaw Zay is just
how Japanese pronounce "Gauze")

> Have a go with the 1.4-dev release, available at:
>
> http://pldaniels.com/ripmime/ripmime-1.4.dev.tar.gz
>
> I did fix up a couple of tight-loop situations like that recently, though they were all different.

well I'll try it but as I mentioned the code didn't change between
1.4.0.0 stable and this dev tarball.

> Failing that working, try run with --no-ole in the parameter list

this sounds like a good idea, I'm virus scanning has there been any
OLE embedded viruses ever? I want to be save but it seems sane ...

thanks,
brian
--
Never be afraid to tell the world who you are.
-- Anonymous
11:00:02 up 20 days, 1:12, 10 users, load average: 0.20, 0.16, 0.19
_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general

Re: ripmime 1.4.0.0 freezing up on decoding certain attachment [ In reply to ]

pcrooker at orix

Sep 29, 2004, 4:22 PM

Post #5 of 6 (4825 views)

On Wed, 29 Sep 2004, gaw zay wrote:

> On Thu, 30 Sep 2004, Paul L Daniels wrote:
>
> > G'day Gaw,
>
> my name is actually brian (so's not to confuse the issue) Gaw Zay is just
> how Japanese pronounce "Gauze")
>
> > Have a go with the 1.4-dev release, available at:
> >
> > http://pldaniels.com/ripmime/ripmime-1.4.dev.tar.gz
> >
> > I did fix up a couple of tight-loop situations like that recently, though they were all different.
>
> well I'll try it but as I mentioned the code didn't change between
> 1.4.0.0 stable and this dev tarball.
>
> > Failing that working, try run with --no-ole in the parameter list
>
> this sounds like a good idea, I'm virus scanning has there been any
> OLE embedded viruses ever? I want to be save but it seems sane ...

Quite possible. I haven't knowingly seen a virus in an embedded object,
but you can embed executable binaries quite easily.

Such a loop condition is rare in my experience (ie hasn't happened yet ;-)
but I've received many, many msoffice files with embedded binaries, so
unless you get these mailpacks that cause loops alot I'd say the greater
risk is with not extracting OLE objects.

You could try embedding a virus-infected binary in say a word doc (just
drag and drop!) and see if your anti-virus program picks it up. From
memory I tried this and McAfee AV didn't (at that time, they may have
fixed this).

cheers, Phil

>
> thanks,
> brian
> --
> Never be afraid to tell the world who you are.
> -- Anonymous
> 11:00:02 up 20 days, 1:12, 10 users, load average: 0.20, 0.16, 0.19
> _______________________________________________
> Ripmime-general mailing list
> Ripmime-general@pldaniels.com
> http://www.pldaniels.com/mailman/listinfo/ripmime-general
>

_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general

Re: ripmime 1.4.0.0 freezing up on decoding certain attachment [ In reply to ]

pldaniels at pldaniels

Sep 29, 2004, 9:34 PM

Post #6 of 6 (4818 views)

Brian,

> my name is actually brian (so's not to confuse the issue) Gaw Zay is just
> how Japanese pronounce "Gauze")

Okay, I've spent the last 4 hours hacking away at my code. The problem was a little more complex than I had hoped.

Essentially, ripOLE was going around in circles (as you detected) trying to read the FAT chain, the interesting bit was
that it was cycling around after a sequence of reads, ie, A->B->C->D->A, something I've not encountered before.

Ultimately, it's fixed now, I added in a detection system for such loops and ripOLE will now terminate and not bother
to try read/decode the stream (as it's broken anyhow).

> > http://pldaniels.com/ripmime/ripmime-1.4.dev.tar.gz

Try this again, as I have since updated the code.

# ./ripmime -i validate/mailpacks/mailpack.gaw-ole-loop-1.4.0.0 -v -d /tmp
Decoding filename=textfile0
Decoding filename=textfile1
Decoding filename=Observations at MHHSwnames.doc
Decoding filename=Observations-TchrList.doc
Decoding filename=textfile2

Regards.

--
PLDaniels - Software - Xamime
Unix systems Internet Development A.B.N. 19 500 721 806
PGP Public Key at http://www.pldaniels.com/gpg-keys.pld

_______________________________________________
Ripmime-general mailing list
Ripmime-general@pldaniels.com
http://www.pldaniels.com/mailman/listinfo/ripmime-general