[NT] Antigen for Exchange and SMTP Rule Bypassing Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 09/20/05

  • Next message: SecuriTeam: "[REVS] Writing Small Shellcode In Windows" 
    To: list@securiteam.com
Date: 20 Sep 2005 11:30:12 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Antigen for Exchange and SMTP Rule Bypassing Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.sybari.com/> Antigen for Microsoft Exchange delivers
    comprehensive server-level antivirus protection with a unique, powerful
    multiple scan engine management approach and advanced content-filtering
    capabilities".

    By creating an email message with a specific subject, attackers can attach
    any file they wish, which under normal circumstances would be filtered by
    Antigen for Exchange and SMTP.

    DETAILS

    Vulnerable Systems:
     * Sybari Antigen version 8.0 SR2 for Exchange and SMTP

    Immune Systems:
     * Sybari Antigen version 8.00.1517 SR3 for Exchange and SMTP

    A vulnerability has been discovered in Antigen for Exchange/SMTP, which
    could potentially be exploited by malicious people to compromise a
    vulnerable system.

    The vulnerability is caused by the way Antigen processes its rules in
    handling SMTP messages. A message, containing the Subject line of:
    "Antigen forwarded attachment" can be exploited to cause Antigen to ignore
    custom filters allowing unwanted file attachments into the email system.
    This vulnerability does not disable or bypass virus scanning of
    attachments.

    Successful exploitation may allow an unwanted file type to be delivered
    into a user's email inbox.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:AlanM@gardnerweb.com> Alan
    Monaghan.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[REVS] Writing Small Shellcode In Windows"

    Relevant Pages