Re: NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]

From: Paul L Schmehl (pauls@utdallas.edu)
Date: 11/30/01 

Date: Fri, 30 Nov 2001 16:17:24 -0600
From: Paul L Schmehl <pauls@utdallas.edu>
To: Joe Yandle <jwy@divisionbyzero.com>, Jari Helenius <jari.helenius@mawaron.com>

I'd be real interested to know how you determined that the boundary field
should be discarded. According to the RFC you referenced, folding involves
adding a LWSP-char after a CRLF. Are you assuming that was missing? And
if you are, what are you basing that assumption on?

More to the point, it isn't WebShield's job to correctly parse headers.
It's WebShield's job to detect and remove viral attachments. If an
incorrectly formed header is all it takes to bypass virus detection, then
the virus writers will be screwing up their headers before this message
gets cold.

This is most certainly a problem with WebShield, and NAI needs to fix it.
They should be parsing for:

Content-Type: audio/x-wav;
name="NEWS_DOC.DOC.scr"
Content-Transfer-Encoding: base64

base64 decoding the content between the boundary markers and scanning the
result to determine if it's viral.

After all, the idea behind a gateway scanner is to *protect* stupid email
clients, not pass the problem off to them.

--On Friday, November 30, 2001 1:35 AM -0800 Joe Yandle
<jwy@divisionbyzero.com> wrote:
>
> This is not a bug in NAI WebShield, but rather a bug in any email
> client which parses this as a valid MIME message. Read RFC 822,
> section 3.1.1, if you don't understand how to correctly fold
> email headers. Since the 'boundary' field should be discarded,
> this email cannot be parsed for MIME attachments, and thus
> logically does not contain the virus.

Paul L. Schmehl, pauls@utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member

Relevant Pages

  • Re: OE/virus query..ps I fogotted summat
    ... >> Mailwasher headers last time, that implies it's neither her ISP ... >> something banished to my virus vault if that was the case? ... >> Thinking that my AVG had removed it I went back to mailwasher and ...
    (uk.people.silversurfers)
  • Re: sed usage question
    ... Standardizing Network Mail Headers from September 1973 ... I know it is in the Mail and Http RFC having had to debug some agents. ... carriage or printer to start of line and feeds the paper to the next ...
    (uk.comp.sys.mac)
  • Re: How Can This Happen???
    ... >email from his ISP that said I had sent him a virus just last ... <SNIP another email, from an infected computer, with forged headers> ... Many of these viruses currently plaguing us have two effects - and the second is ... infected computer stuck your email address into the header of the infected email ...
    (alt.computer.security)
  • Re: [Full-Disclosure] POSSIBLE TARGETING OF SECURITY RELESE READ
    ... From the message's full, original headers: ... already detected by all virus scanners and has spread profusely all ... a security mailing list with something as obvious as an already ... of IE on Internet exposed machines (Bugbear.B has an auto-execute on ...
    (Full-Disclosure)
  • Re: What is with the From field containing UTF-8 stuff?
    ... That does not permit Google to use UTF-8 in headers; ... actual rules are the more restrictive of those in RFC 3977 and RFC1036++. ... MUST NOT This phrase, or the phrase "SHALL NOT", mean that the ...
    (news.software.readers)
Quantcast