[FLUG] Re: [aviram@beyondsecurity.com: Bypassing SMTP Content Protection with a Flick of a Button]
- From: "PeG" <djpeg@xxxxxxxxx>
- To: <fanolug@xxxxxxxxxxxxx>
- Date: Mon, 23 Sep 2002 19:11:28 +0200
Mailing List del Fortunae LUG
=============================
Uh anzi no... il client non ha riassemblato l'email ma l'ha divisa in 5
parti... qundi non è vulnerabile a questo tipo di attacco ma gli altri sì
:((
Bauz
----- Original Message -----
From: "BlueRaven" <blueraven@xxxxxxxxx>
To: "ML fanolug" <fanolug@xxxxxxxxxxxxx>
Sent: Friday, September 20, 2002 11:34 PM
Subject: [FLUG] [aviram@xxxxxxxxxxxxxxxxxx: Bypassing SMTP Content
Protection with a Flick of a Button]
> Mailing List del Fortunae LUG
> =============================
>
> Gecco aveva postato il link in fondo, io vi forwardo la spiegazione
tecnica
> del perche' dovreste visitarlo (direttamente da Bugtraq).
> E' molto confortante sapere che anche una feature apparentemente benevola
> puo' essere usata a scopi maligni. :-(
>
> ----- Forwarded message from Aviram Jenik
<aviram@xxxxxxxxxxxxxxxxxx> -----
>
> From: "Aviram Jenik" <aviram@xxxxxxxxxxxxxxxxxx>
> To: <bugtraq@xxxxxxxxxxxxxxxxx>
> Subject: Bypassing SMTP Content Protection with a Flick of a Button
> Date: Thu, 12 Sep 2002 15:45:03 +0200
>
>
>
> Bypassing SMTP Content Protection with a Flick of a Button
> ------------------------------------------------------------------------
>
> Article reference:
> http://www.securiteam.com/securitynews/5YP0A0K8CM.html
>
>
> SUMMARY
>
> Forget underground hacking tools. How about using Outlook Express as
> your attack platform?
>
> Beyond Security's SecurITeam has discovered a new method of bypassing
> many SMTP-based content filter engines.
> This discovery is alarming since it requires from the attacker nothing
> more than an Outlook Express client and employs a rarely-used feature
> called 'message fragmentation and re-assembly' that is available in
> Outlook Express. Using this feature, an attacker can send e-mails that
> will bypass most SMTP filtering engines including gateway Virus
> scanners, content filters, Firewalls that do SMTP checking, etc.
>
> DETAILS
>
> One of the least known features of Outlook Express allows Internet and
> Intranet users to split up sent messages. This allows slow connecting
> users to send smaller segments of a larger email in multiple emails,
> whereas the receiving client will automatically join them into a single
> message. This RFC documented feature called "Message Fragmentation and
> Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass most of
> the security restrictions imposed on email messages, due to the fact
> that messages are spliced into smaller segments that will not be
> detected by virus scanners or other content testing mechanisms.
>
> Possibly affected:
> Any email filtering, virus checking, and content checking mechanism that
> is unable to assemble a fragmented email to its complete form.
>
> Technical details:
> The main idea behind the RFC 2046 message fragmentation is to enable
> users to send large files as several partial messages, while making it
> transparent to the recipient, who will receive a single message rather
> than multiple smaller files.
>
> Fragmentation and Reassembly example:
> If a binary attachment is broken into two pieces, the first piece might
> look something like this:
>
> X-Weird-Header-1: Foo
> From: Bill@xxxxxxxx
> To: joe@xxxxxxxxxxxxx
> Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
> Subject: First mail (part 1 of 2)
> Message-ID:
> MIME-Version: 1.0
> Content-type: message/partial; id="ABC@xxxxxxxx";
> number=1; total=2
>
> X-Weird-Header-1: Bar
> X-Weird-Header-2: Hello
> Message-ID:
> Subject: Audio mail
> MIME-Version: 1.0
> Content-type: application/binary
> Content-transfer-encoding: base64
>
> VIRUS
>
> And the second half might look something like this:
>
> From: Bill@xxxxxxxx
> To: joe@xxxxxxxxxxxxx
> Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
> Subject: Second mail (part 2 of 2)
> MIME-Version: 1.0
> Message-ID:
> Content-type: message/partial;
> id="ABC@xxxxxxxx"; number=2; total=2
>
> SIGNATURE
>
> When the fragmented message is reassembled, the resulting message will
> look something of the sorts of:
>
> X-Weird-Header-1: Foo
> From: Bill@xxxxxxxx
> To: joe@xxxxxxxxxxxxx
> Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
> Subject: Mail
> Message-ID:
> MIME-Version: 1.0
> Content-type: application/binary
> Content-transfer-encoding: base64
>
> VIRUS
> SIGNATURE
>
> Since the emails traversing though the product will be the first email
> and the second email, and not the completed form, any product looking
> for the phrase "VIRUS SIGNATURE" will fail to detect the Virus, and the
> message will pass undetected. Similarly, if compressed files are
> involved, a product will try to decompress them in order to look into
> its content, but will be unable to do so since each email contains only
> a fragment of the compressed file.
>
> So far, the only client that we found to support this feature with a
> "flick of a button" is Microsoft's Outlook Express. This mail client
> supports an option that allows fully transparent fragmentation and
> reassembly of messages. The reassembly feature is enabled by default,
> while the fragmentation feature is not. Note though, that it can be
> easily enabled by going to: Tools -> Accounts -> Choose your email
> account -> Advanced -> Sending / Break apart messages larger than [...].
> No other mail client we have checked supports this feature including
> Microsoft Outlook. However, Outlook Express is widely used in both
> Cooperate and Home environments making this issue a possible high-risk
> situation.
>
> Impact:
> Anyone wishing to bypass SMTP filtering engines can utilize the
> mentioned method to bypass most types of content checking, and deliver
> its payload to the end-client without any trouble, whether it is a
> Virus, Trojan or a file type that is not allowed by the corporate
> policy.
>
>
> Workaround:
> It seems that by embedding email footer (company disclaimer, privacy
> note, etc) to each outgoing email traversing though the content filter
> it is possible to completely hamper the effective usage of this attack.
> However, since this is an RFC documented feature that may be used in
> Outlook Express for legitimate purposes, this legitimate usage will be
> hampered as well.
>
> A vendor solution to this vulnerability would be to include a
> reassembling agent at the server that will not allow any non-reassembled
> message to traverse through it.
>
>
> Vendor response - Check Point:
> "Neither the latest 4.1 nor the latest NG versions of FW-1 are
> vulnerable to this problem. A few details follow:
>
> 1. FW-1 does not directly analyze the body of attachments. In that
> respect, the vulnerability is not applicable to FW-1.
>
> 2. FW-1 has the capability to easily filter these types of messages, by
> specifying "message/partial" in the "Strip MIME of type:" section of the
> resource definition.
>
> 3. FW-1 does serve as a platform for third party vendors to check
> attachments for viruses via the "CVP" OPSEC mechanism. When defining a
> CVP server, a message box is presented to the administrator (when
> approving the resource) that says:
>
> "When CVP server is used it is recommended to strip MIME of type
> 'message/partial'. Do you want to add 'message/partial'?"
>
> Pressing "Yes" will automatically add 'message/partial' to the
> appropriate place in the resource definition.
>
> We therefore believe is safe to say that not only are we not vulnerable
> to this problem ourselves, we also protect 3rd party opsec partners from
> falling for this pitfall."
>
>
> Vendor response - GFI:
> GFI MailSecurity for Exchange/SMTP 7.2 has been updated to detect this
> exploit as "fragmented message" through its email exploit detection
> engine and quarantines it at server level.
>
> GFI patch URL:
> GFI's latest version of MailSecurity for Exchange is patched against
> this problem. For more information, see:
> <http://www.gfi.com/mailsecurity/> http://www.gfi.com/mailsecurity/
>
>
> Vendor response - Symantec:
> "Symantec has been aware for some time of the potential malicious use of
> this email feature. As a result, all currently supported Symantec
> gateway products, by default, block multi-part MIME messages at the
> gateway. While this is a configurable feature of Symantec gateway
> products and can be enabled if multi-part email is required, the
> rejection of segmented messages should be a part of a company's
> comprehensive security policy to restrict potentially harmful content
> from the internal network.
>
> Additionally, should known malicious code be delivered to a client
> computer in this manner, the Symantec and Norton AntiVirus scanning
> products will detect it when it is reassembled and downloaded to the
> client computer and/or during attempted execution on the targeted
> computer. As always, if previously unknown malicious code is being
> distributed in this manner, Symantec Security Response will react and
> send updated virus definitions via LiveUpdate to detect the new threat."
>
> A full formal response from Symantec should be shortly available at:
>
> <http://securityresponse.symantec.com/avcenter/security/SymantecAdvisori
> es.html>
> http://securityresponse.symantec.com/avcenter/security/SymantecAdvisorie
> s.html
> (Under "Multiple SMTP bypass")
>
>
> Vendor response - TrendMicro:
> "We have confirmed that our product InterScan VirusWall 3.5x for NT is
> affected by the vulnerability mentioned by Beyond Security Ltd.
> regarding fragmented e-mails. In order to resolve this problem, we have
> released a patch in order to address this particular concern for
> InterScan VirusWall for NT. The said patch can be downloaded from the
> following FTP server:
> <ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/>
> ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/
>
> The said hotfix is named:
> Hotfix_build1494_v352_Smtp_case6593.zip
>
> The hotfix mentioned above contains a Readme file which should include
> the necessary instructions on how to apply the patch.
>
> Our other mail gateway product, InterScan MSS v5.01 is not affected by
> this vulnerability provided that you apply the latest hotfixes which can
> be downloaded from our website at:
> <http://www.antivirus.com/download> www.antivirus.com/download
> "
>
>
> Vendor response - SonicWALL:
> We could not assert whether SonicWALL is vulnerable to this attack and
> were unable to receive a response from SonicWALL despite several contact
> attempts.
>
>
> Vendor response - NAI:
> We could not assert whether any of NAI's products is vulnerable to this
> attack and were unable to receive a response from NAI despite several
> contact attempts.
>
> Vendor response - Cisco:
> The following response was received from Cisco's security contact on
> September 1st:
> "We are still working on this issue, and I do not have the latest
> information. We will follow up in a few days."
>
>
> CERT:
> We have received a response from CERT indicating that they have informed
> several vendors about the issue, but were unable to receive an updated
> status in the last few weeks. CERT is tracking this issue as VU#836088.
>
>
> ADDITIONAL INFORMATION
>
> GFI Email Security Testing Zone:
> GFI has set up an email security testing engine that can be used to test
> your system for the mentioned vulnerability. This testing zone is
> available at:
> <http://www.gfi.com/emailsecuritytest/>
> http://www.gfi.com/emailsecuritytest/
>
> The information has been provided by <mailto:noamr@xxxxxxxxxxxxxxxxxx>
> Noam Rathaus, Beyond Security Ltd.
>
> --
> Aviram Jenik
> Beyond Security Ltd.
> http://www.BeyondSecurity.com
> http://www.SecuriTeam.com
>
> Know that you're safe:
> http://www.AutomatedScanning.com
>
> ----- End forwarded message -----
>
> --
> BlueRaven
>
> There are only 10 types of people in this world...
> those who understand binary, and those who don't.
> --
> <simon> ho capito una cosa stasera, non devo uscire quando non ho voglia
di uscire...
--
<simon> ho capito una cosa stasera, non devo uscire quando non ho voglia di
uscire...
Other related posts:
