Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue
From: Martin O'Neal (martin.oneal@CORSAIRE.COM)
Date: Fri, 7 Mar 2003 18:54:51 -0000 From: Martin O'Neal <martin.oneal@CORSAIRE.COM> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
-- Corsaire Security Advisory --
Title: Clearswift MAILsweeper MIME attachment evasion issue
Application: Clearswift MAILsweeper 4.x
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [email@example.com]
Audience: General distribution
-- Scope --
The aim of this document is to clearly define a MIME attachment evasion
issue in the MAILsweeper product, as supplied by Clearswift Ltd. 
-- History --
Vendor notified: 03.03.03
Uncoordinated vendor advisory released: 05.03.03
Document released: 06.03.03
Unfortunately the release of this advisory has not followed a
particularly smooth path. The main reason for the rapid release schedule
is due to an uncoordinated and unattributed advisory from Clearswift,
released under their ThreatLab banner. Once this was made public, there
seemed little point in delaying publishing the Corsaire advisory.
For the record, the sole response we have had from Clearswift in regard
to this issue has been an apology from Pete Simpson (ThreatLab Manager)
for the unattributed release (received after we complained about the
omission). Other than this, no one from Clearswift has responded to the
original advisory, or any of the follow-up emails.
-- Overview --
The MAILsweeper product provides policy based, email content security
functionality. Part of this functionality allows the product to block
attachments based on their specific content type.
However, by using malformed MIME encapsulation techniques this
functionality can be evaded.
-- Analysis --
The attachment detection functionality works by recursively analysing
the email message body and attachments for container constructs (such as
MIME), decoding these and then comparing the contents against a
If a deliberately malformed MIME encapsulation technique is used, then
the MAILsweeper product will not recognise the attachment and allows it
to pass unhindered.
However, not all client applications require strict standards compliance
and some will happily accept and process the malformed attachment.
-- Proof of concept --
For this proof of concept, the MIME encapsulation is simply modified to
remove the MIME-Version header field. An example of an application that
will process a MIME construct that is malformed in this way is Microsoft
Whilst RFC2045 states that all agents must include this field  it
then goes on to say that "In the absence of a MIME-Version field, a
receiving mail user agent (whether conforming to MIME requirements or
not) may optionally choose to interpret the body of the message
according to local conventions."
Step 1: On the MAILsweeper host create a new Data Type Manager with only
the Executable type selected. Save and restart the MAILsweeper Security
Step 2: Now create a text file that will be used to hold the MIME
encoded attachment. Start notepad (or another text editor), and paste
Step 3: To reproduce this issue, send an email containing the attachment
created in step 2 that will be processed by the scenario from step 1.
This should result in a successful discovery condition.
Step 4: Reopen the attachment from step 2 and remove the first line
(MIME-Version: 1.0), then resend the attachment as per step 3. This
should result in the attachment not being spotted as an executable.
-- Recommendations --
To be an effective tool, the MAILsweeper product must not only be able
to process encoding techniques implemented as per the relevant standard,
but also common misinterpretations.
As an ongoing process, a study project should be undertaken by
Clearswift to identify applications that routinely decode MIME objects
and have a liberal interpretation of the MIME standard.
In response to this advisory, Clearswift have produced an updated script
utility that can detect the malformed MIME header used in this example
. This should be implemented until a more permanent solution is
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0121 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
-- References --
-- Revision --
a. Initial release.
b. Minor revision.
c. Added CVE reference.
d. Added Clearswift script tool reference.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
Copyright 2003 Corsaire Limited. All rights reserved.
CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000 Email:firstname.lastname@example.org
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?
Need assistance crafting the format or translating your advisory to English?
Need to verify it, or having problems contacting the Vendor?