-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Aidan, We found a similar issue in MailSweeper at the beginning of the year and contacted Baltimore regarding this issue. They decided that is wasn't a serious issue and begrudgingly released an advisory about it on there website and classified it as a low risk issue. The advisory on Baltimore's site can be found at: http://www.contenttechnologies.com/support/technotes/notes/1102.asp Our own advisory is below (I've modified the extension to v*b*s to prevent it being blocked at the e-mail gateways). Attached is quick 'n' dirty PERL script I knocked together at the time (note the script also has the v*b*s modification made to it). Systems affected: - ----------------- MAILsweeper 4.2.* (not tested other e-mail content filtering systems). Affected: - --------- Companies or organisations relying upon MAILsweeper or other email content filtering systems, to protect themselves against viruses or malicious attachments by blocking e-mails via attachment filename. Vendor status: - -------------- Content Technologies (MAILsweeper) - liased with the vendor to provide a workaround and solution to the issue identified (15th February - 9th March 2001). Overview: - --------- A large number of organisations including many IT Security companies utilise MAILsweeper by Content Technologies (now Baltimore) to protect and prevent mailicious viruses and / or attachments from entering their networks. However a situation has been brought to our attention where a malicious user can bypass content filtering systems in place. When an administrator sets up fileblocking using a filter (File Blocker), this restriction can be bypassed by malforming an e-mail attachment header to trick the system into letting the e-mail through to the user. This can lead to viruses and files that the administrator would like to restrict, entering the network and possibly leading to denial of service and data destruction scenarios. No previously known issues were found to be present on the vendor's website and security archives on the internet. Issue: - ------ When a user sends an e-mail to another user with an attachment, the e-mail will include the mail headers, the body of the e-mail, the attachment headers and the attachment (typically MIME encoded): Return-Path: user_aat_private From: User A <user_aat_private> To: User B <user_bat_private> Subject: Fw: FYI Date: Thurs, 22 Feb 2001 13:38:19 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.23) Content-Type: multipart/mixed ; boundary="----_=_NextPart_000_02D35B68.BA121FA3" Status: RO This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; charset="iso-8859-1" Hi, Just popping a note to say hi! Cheers, User B. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="virus.v*b*s" Content-Disposition: attachment; filename="virus.v*b*s" ' Test Virus ' Blah blah blah ' Do something devastating here! - ------_=_NextPart_000_02D35B68.BA121FA3 You will see from the attachment headers at the end of the e-mail that the filename of the attachment is defined twice. The issue that allows a malicious e-mail to bypass Mailsweeper's File Blocking, is the blocking agent only checks the first filename (set in the Content-Type line) against the filter set up by an administrator and therefore ignores the second filename (set in the Content-Disposition line). The Outlook e-mail client uses the second filename to define the name of the attachment to open / run. Therefore it is possible to malform an e-mail by changing the first filename definition to a valid type that will not be stopped by Mailsweeper. If a File Blocking filter is in place to block all attachments with filenames of *.vb*, the above e-mail will be correctly and successfully blocked. However, if the second e-mail is passed through the Mailsweeper system, it will not be blocked and successfully delivered to the user (assuming .doc files are also not being blocked). Return-Path: user_aat_private From: User A <user_aat_private> To: User B <user_bat_private> Subject: Fw: FYI Date: Thurs, 22 Feb 2001 13:38:19 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.23) Content-Type: multipart/mixed ; boundary="----_=_NextPart_000_02D35B68.BA121FA3" Status: RO This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; charset="iso-8859-1" Hi, A note to say hi! Cheers, User B. - ------_=_NextPart_000_02D35B68.BA121FA3 Content-Type: text/plain; name="test.doc" Content-Disposition: attachment; filename="virus.v*b*s" ' Test Virus ' Blah blah blah ' Do something devastating here! - ------_=_NextPart_000_02D35B68.BA121FA3 Workaround / Fix / Solution: - ---------------------------- Baltimore has released a workaround and utility to help prevent this issue from being exploited. Please use the "Data Type Manager" where applicable and install the script.exe utility to check for malicious threats (available from http://www.contenttechnologies.com/download/extras/free_utilities.asp# Script%20Tool). Disclaimer: - ----------- Nothing is 100% secure, the risk of being hacked / cracked is always improbable, never impossible. This information is provided as is and MIS-CDS do not take responsibility for use / re-use of information provided above. Cheers, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/ > -----Original Message----- > From: Aidan O'Kelly [mailto:okellyat_private] > Sent: 19 July 2001 15:57 > To: VULN-DEV (E-mail) > Subject: FW: E-Mail Content Filtering Systems. > > ** Aidan's mail snipped ** -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBO1gNJ7nKcoQ5QY/3EQJVbwCfbzrzYmbVeHrf2uVeFz/2c+Fi8b0AnjS9 qAeBG7dT1HmwglPAA95ExW1a =xZ1e -----END PGP SIGNATURE----- ° ********************************************************************** The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400. **********************************************************************
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 08:24:15 PDT