9th Mar 2003 [SBWID-6049]
COMMAND
MAILsweeper MIME attachment evasion
SYSTEMS AFFECTED
Clearswift MAILsweeper 4.x
PROBLEM
-- Corsaire Security Advisory --
Title: Clearswift MAILsweeper MIME attachment evasion issue
Date: 03.03.03
Application: Clearswift MAILsweeper 4.x
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [[email protected]]
Audience: General distribution
-- Scope --
The aim of this document is to clearly define a MIME attachment evasion
issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1]
-- History --
Vendor notified: 03.03.03
Uncoordinated vendor advisory released: 05.03.03
Document released: 06.03.03
Unfortunately the release of this advisory has not followed a
particularly smooth path. The main reason for the rapid release schedule
is due to an uncoordinated and unattributed advisory from Clearswift,
released under their ThreatLab banner. Once this was made public, there
seemed little point in delaying publishing the Corsaire advisory.
For the record, the sole response we have had from Clearswift in regard
to this issue has been an apology from Pete Simpson (ThreatLab Manager)
for the unattributed release (received after we complained about the
omission). Other than this, no one from Clearswift has responded to the
original advisory, or any of the follow-up emails.
-- Overview --
The MAILsweeper product provides policy based, email content security
functionality. Part of this functionality allows the product to block
attachments based on their specific content type.
However, by using malformed MIME encapsulation techniques this
functionality can be evaded.
-- Analysis --
The attachment detection functionality works by recursively analysing
the email message body and attachments for container constructs (such
as MIME), decoding these and then comparing the contents against a
predefined policy.
If a deliberately malformed MIME encapsulation technique is used, then
the MAILsweeper product will not recognise the attachment and allows it
to pass unhindered.
However, not all client applications require strict standards
compliance and some will happily accept and process the malformed
attachment.
-- Proof of concept --
For this proof of concept, the MIME encapsulation is simply modified to
remove the MIME-Version header field. An example of an application that
will process a MIME construct that is malformed in this way is
Microsoft Internet Explorer.
Whilst RFC2045 states that all agents must include this field [2] it
then goes on to say that "In the absence of a MIME-Version field, a
receiving mail user agent (whether conforming to MIME requirements or
not) may optionally choose to interpret the body of the message
according to local conventions."
Step 1: On the MAILsweeper host create a new Data Type Manager with
only the Executable type selected. Save and restart the MAILsweeper
Security service.
Step 2: Now create a text file that will be used to hold the MIME
encoded attachment. Start notepad (or another text editor), and paste
in:
MIME-Version: 1.0
Content-Location:file:///executable.exe
Content-Transfer-Encoding: base64
TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
/////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA=
Step 3: To reproduce this issue, send an email containing the
attachment created in step 2 that will be processed by the scenario
from step 1. This should result in a successful discovery condition.
Step 4: Reopen the attachment from step 2 and remove the first line
(MIME-Version: 1.0), then resend the attachment as per step 3. This
should result in the attachment not being spotted as an executable.
SOLUTION
-- Recommendations --
To be an effective tool, the MAILsweeper product must not only be able
to process encoding techniques implemented as per the relevant
standard, but also common misinterpretations.
As an ongoing process, a study project should be undertaken by
Clearswift to identify applications that routinely decode MIME objects
and have a liberal interpretation of the MIME standard.
In response to this advisory, Clearswift have produced an updated
script utility that can detect the malformed MIME header used in this
example [3]. This should be implemented until a more permanent solution
is forthcoming.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0121 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
-- References --
[1] http://www.clearswift.com
[2] http://www.rfc.net/rfc2045.html#s4.
[3] http://www.clearswift.com/support/threatlab/vbstool.asp
-- Revision --
a. Initial release.
b. Minor revision.
c. Added CVE reference.
d. Added Clearswift script tool reference.
-- Distribution --
This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
Copyright 2003 Corsaire Limited. All rights reserved.
Update (26 March 2003)
======
Martin O'Neal adds :
As a follow to this, the vendor has now released a permanent fix for
the product, which can be downloaded from:
http://www.clearswift.com/download/SQL/downloadList.asp?productID=301