[NT] Zone Labs IMsecure Active Link Filter Bypassing

From: SecuriTeam (support_at_securiteam.com)
Date: 11/16/04

  • Next message: SecuriTeam: "[EXPL] Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability (Exploit)" 
    To: list@securiteam.com
Date: 16 Nov 2004 19:02:18 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Zone Labs IMsecure Active Link Filter Bypassing
    ------------------------------------------------------------------------

    SUMMARY

    Zone Lab's IMsecure allows a user to further protect his computer from
    malicious content by actively filtering potentially dangerous URLs
    containing files with extensions such as vbs, scr and exe. A vulnerability
    in the Zone Lab's IMsecure allows an attacker to bypass this protection by
    encoding part of the extension.

    DETAILS

    Vulnerable Systems:
     * ZoneLabs IMsecure and IMsecure Pro version 1.4 and prior

    Immune Systems:
     * ZoneLabs IMsecure and IMsecure Pro version 1.5

    The active link filter is programmed to block any potentially dangerous
    URLs in IM messages. For example, IMsecure will remove URLs with
    extensions of .vbs, and .exe. By encoding characters in the file extension
    of the URL, it is possible to bypass the Zone Lab's active link filtering
    mechanism.

    Proof of Concept:
    While IMsecure's protection mechanism is enabled accessing:
    http://www.example.com/somefile.e%78e would allow to download an otherwise
    blocked executable file. In the example, "78" is the encoded form of "x".

    ADDITIONAL INFORMATION

    The information has been provided by Paul Kurczaba.
    The original article can be found at:
    <http://www.kurczaba.com/html/security/0410141.htm>
    http://www.kurczaba.com/html/security/0410141.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability (Exploit)"