I have been doing some testing on our e-mail filtering software here, and have found a number of things, I have only tested the one product, however I'd say more are vunreable to this type of attack. The general idea is to make the e-mail system think one thing, and the e-mail client think another. Same principal as IDS systems mimicing the behaviour of the IP stack of the machines behind it. I'm amsumming the client is Outlook/Outlook Express Heres a few things that our gateway trips up on. - Extensions with quotes. evilworm.v"b"s or even evilworm."v"""b"s" or whatever combination you want. When you open this attachment in outlook/outlook express it takes out the quotes... (I noticed after i ran Windows Update one day that outlook express stopped doing this and replaced the quotes with _ Outlook however does still do it.) - Double 'Content-Disposition' Lines This is probably more specific to the gateway tested, but if you put 2 lines for Content-Disposition, each one specificing a different filename, outlook uses the first one, the gateway used the second one. So you would have Content-Disposition: attachment; filename="evil.vbs" Content-Disposition: attachment; filename="nice.txt" And it gets let through. - Outlook express and Content-Type Outlook express(and outlook, but not as often) will sometimes automaticly put an extension on an attachment if it is not given a name in the mime headers. For example if the headers for your attachment are Content-Type: audio/x-wav Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment Outlook Express will give it a name like ATT00012.wav It doesnt do it will all content-types though. A useful one would be application/hta and it will append a .hta extension on to it. Outlook only does a few, none of them are useful as far as i can tell. (maybe text/html, but if thats a problem so is any html mail) In general, I'd say most gateways dont take this kind of thing into condiseration. Thats why I'm posting to vuln-dev, maybe some of you can test your own mail gateways. _________________________________________ Aidan O'Kelly Systems Administrator okellyat_private Xnet - The Data Storage People Dublin: +353 (1) 2740 100 Belfast: +44(28) 9073 5872 www.xnet.ie | storageat_private ******************************************************************* Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Xnet and shall be understood as neither given nor endorsed by it. ********************************************************************
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 21:51:22 PDT