RE: E-Mail Content Filtering Systems.

From: Paul Rogers (paul.rogers@mis-cds.com)
Date: 07/20/01 

Message-ID: <A5EDA791B1C8D3119F8D006008CEC98F012C5CBF@itchy.miseurope.co.uk>
From: Paul Rogers <paul.rogers@mis-cds.com>
To: 'Aidan O'Kelly' <okelly@xnet.ie>, "VULN-DEV (E-mail)" <VULN-DEV@securityfocus.com>
Subject: RE: E-Mail Content Filtering Systems.
Date: Fri, 20 Jul 2001 11:44:13 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Aidan,

We found a similar issue in MailSweeper at the beginning of the year
and contacted Baltimore regarding this issue. They decided that is
wasn't a serious issue and begrudgingly released an advisory about it
on there website and classified it as a low risk issue. The advisory
on Baltimore's site can be found at:

http://www.contenttechnologies.com/support/technotes/notes/1102.asp

Our own advisory is below (I've modified the extension to v*b*s to
prevent it being blocked at the e-mail gateways). Attached is quick
'n' dirty PERL script I knocked together at the time (note the script
also has the v*b*s modification made to it).

Systems affected:
- -----------------

MAILsweeper 4.2.* (not tested other e-mail content filtering
systems).

Affected:
- ---------

Companies or organisations relying upon MAILsweeper or other email
content filtering systems, to protect themselves against viruses or
malicious attachments by blocking e-mails via attachment filename.

Vendor status:
- --------------

Content Technologies (MAILsweeper) - liased with the vendor to
provide a workaround and solution to the issue identified (15th
February - 9th March 2001).

Overview:
- ---------

A large number of organisations including many IT Security companies
utilise MAILsweeper by Content Technologies (now Baltimore) to
protect and prevent mailicious viruses and / or attachments from
entering their networks. However a situation has been brought to our
attention where a malicious user can bypass content filtering systems
in place.

When an administrator sets up fileblocking using a filter (File
Blocker), this restriction can be bypassed by malforming an e-mail
attachment header to trick the system into letting the e-mail through
to the user. This can lead to viruses and files that the
administrator would like to restrict, entering the network and
possibly leading to denial of service and data destruction scenarios.

No previously known issues were found to be present on the vendor's
website and security archives on the internet.

Issue:
- ------

When a user sends an e-mail to another user with an attachment, the
e-mail will include the mail headers, the body of the e-mail, the
attachment headers and the attachment (typically MIME encoded):

Return-Path: user_a@test.com
From: User A <user_a@test.com>
To: User B <user_b@test.com>
Subject: Fw: FYI
Date: Thurs, 22 Feb 2001 13:38:19 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.23)
Content-Type: multipart/mixed ;
boundary="----_=_NextPart_000_02D35B68.BA121FA3"
Status: RO

This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain; charset="iso-8859-1"

Hi,

Just popping a note to say hi!

Cheers,

User B.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
        name="virus.v*b*s"
Content-Disposition: attachment;
        filename="virus.v*b*s"

' Test Virus
' Blah blah blah
' Do something devastating here!

- ------_=_NextPart_000_02D35B68.BA121FA3

You will see from the attachment headers at the end of the e-mail
that the filename of the attachment is defined twice. The issue that
allows a malicious e-mail to bypass Mailsweeper's File Blocking, is
the blocking agent only checks the first filename (set in the
Content-Type line) against the filter set up by an administrator and
therefore ignores the second filename (set in the Content-Disposition
line).

The Outlook e-mail client uses the second filename to define the name
of the attachment to open / run. Therefore it is possible to malform
an e-mail by changing the first filename definition to a valid type
that will not be stopped by Mailsweeper. If a File Blocking filter is
in place to block all attachments with filenames of *.vb*, the above
e-mail will be correctly and successfully blocked. However, if the
second e-mail is passed through the Mailsweeper system, it will not
be blocked and successfully delivered to the user (assuming .doc
files are also not being blocked).

Return-Path: user_a@test.com
From: User A <user_a@test.com>
To: User B <user_b@test.com>
Subject: Fw: FYI
Date: Thurs, 22 Feb 2001 13:38:19 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.23)
Content-Type: multipart/mixed ;
boundary="----_=_NextPart_000_02D35B68.BA121FA3"
Status: RO

This message is in MIME format. Since your mail reader does not
understand
this format, some or all of this message may not be legible.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain; charset="iso-8859-1"

Hi,

A note to say hi!

Cheers,

User B.

- ------_=_NextPart_000_02D35B68.BA121FA3
Content-Type: text/plain;
        name="test.doc"
Content-Disposition: attachment;
        filename="virus.v*b*s"

' Test Virus
' Blah blah blah
' Do something devastating here!

- ------_=_NextPart_000_02D35B68.BA121FA3

Workaround / Fix / Solution:
- ----------------------------

Baltimore has released a workaround and utility to help prevent this
issue from being exploited. Please use the "Data Type Manager" where
applicable and install the script.exe utility to check for malicious
threats (available from
http://www.contenttechnologies.com/download/extras/free_utilities.asp#
Script%20Tool).

Disclaimer:
- -----------

Nothing is 100% secure, the risk of being hacked / cracked is always
improbable, never impossible. This information is provided as is and
MIS-CDS do not take responsibility for use / re-use of information
provided above.

Cheers,

Paul Rogers,
Network Security Analyst.

MIS Corporate Defence Solutions Limited

Tel: +44 (0)1622 723422 (Direct Line)
                +44 (0)1622 723400 (Switchboard)
Fax: +44 (0)1622 728580
Website: http://www.mis-cds.com/

> -----Original Message-----
> From: Aidan O'Kelly [mailto:okelly@xnet.ie]
> Sent: 19 July 2001 15:57
> To: VULN-DEV (E-mail)
> Subject: FW: E-Mail Content Filtering Systems.
>
>
** Aidan's mail snipped **

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.3

iQA/AwUBO1gNJ7nKcoQ5QY/3EQJVbwCfbzrzYmbVeHrf2uVeFz/2c+Fi8b0AnjS9
qAeBG7dT1HmwglPAA95ExW1a
=xZ1e
-----END PGP SIGNATURE-----
°

**********************************************************************
The information contained in this message or any of its attachments may be
privileged and confidential and intended for the exclusive use of the
addressee. If you are not the addressee any disclosure, reproduction,
distribution or other dissemination or use of this communications is
strictly prohibited.

The views expressed in this e-mail are those of the individual and not
necessarily of MIS Corporate Defence Solutions Ltd. Any prices quoted are
only valid if followed up by a formal written quote.

If you have received this transmission in error, please contact our Security
Manager on 44 (0) 1622 723400.
**********************************************************************