[NT] MailMarshal SMTP MTA Content Filter Bypass
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 7 Jun 2006 17:06:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
MailMarshal SMTP MTA Content Filter Bypass
------------------------------------------------------------------------
SUMMARY
" <http://www.marshal.com/pages/mailmarshalsmtp.asp> MailMarshal SMTP is a
total email security solution for business networks: combining anti-spam,
anti-virus and content security into a highly scalable and easily
manageable solution."
Lack of compression handling with MailMarshal SMTP MTA allows attackers to
bypass the filtering and send executable to users.
DETAILS
Vulnerable Systems:
* MailMarshal SMTP MTA version 6.1
An active content filter bypass condition exists in Mail Marshal's
handling of ACE archives.
MailMarshal SMTP Server does not unpack and analyse the content of ACE
archives, making it possible to circumvent any active content filter by
default. For example, by compressing an executable file within an ACE
archive it is possible bypass the executable blocking content filters. In
short, any file that is blocked by a content filter can still be
successfully sent to a recipient (internal or external) from any source,
simply by compressing the file within an ACE archive.
Vendor Status:
Marshal has stated that this is not a vulnerability within the product and
as such, no patches are available. However, Marshal has issued the
following workaround for the issue:
"Obtaining the external ACE unpacking utility:
1. download the following from WinACE:
<http://www.winace.com/files/ace26.exe>
http://www.winace.com/files/ace26.exe
2. double click ace26.exe, and enter "Y" in the command prompt that opens
to extract its contents
3. locate "unace32.exe" in the extracted files.
4. place "unace32.exe" in the MailMarshal installation directory on EACH
NODE in the array if they have multiples (default: C:\Program
Files\NetIQ\MailMarshal\)
Enabling the Unpacker to extract ACE contents:
1. open regedit on the Array Manager system, and navigate to
HKEY_LOCAL_MACHINE\Software\NetIQ\MailMarshal\
2. make note of whether the "Default" key is solely named "Default" or if
it is named "Default(1)"
3. download the attached registry file to the system where the Array
Manager resides
4. if the key noted in step 2 is "Default(1)", make this change
accordingly within the attached registry file
5. rename the attached file from "ACEunpack.rename" to "ACEUnpack.reg"
6. double click the newly created REG file to apply the changes to the
registry
7. commit configuration changes, and restart the MMController service on
each node of the array (thus restarting all dependent services as well,
most importantly the MMEngine)"
Disclosure Timeline:
Problem Discovered: 24 February 2006
Vendor Contacted: 24 February 2006
Advisory Published: 5 June 2006
ADDITIONAL INFORMATION
The information has been provided by <mailto:advisories@xxxxxxxxxx> IRM
Advisories.
The original article can be found at:
<http://www.irmplc.com/advisory019.htm>
http://www.irmplc.com/advisory019.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [REVS] Advanced Topics on SQL Injection Protection
- Next by Date: [TOOL] Open Leak Prevention Test - Information Leakage Tool
- Previous by thread: [REVS] Advanced Topics on SQL Injection Protection
- Next by thread: [TOOL] Open Leak Prevention Test - Information Leakage Tool
- Index(es):
Relevant Pages
|
