ID CVE-2003-0121 Type cve Reporter NVD Modified 2016-10-17T22:29:45
Description
Clearswift MAILsweeper 4.x allows remote attackers to bypass attachment detection via an attachment that does not specify a MIME-Version header field, which is processed by some mail clients.
{"securityvulns": [{"lastseen": "2018-08-31T11:10:07", "references": [], "description": "\r\n\r\n-- Corsaire Security Advisory --\r\n\r\nTitle: Clearswift MAILsweeper MIME attachment evasion issue\r\nDate: 03.03.03\r\nApplication: Clearswift MAILsweeper 4.x\r\nEnvironment: Windows NT 4.0, Windows 2000, \r\nAuthor: Martin O'Neal [martin.oneal@corsaire.com]\r\nAudience: General distribution\r\n\r\n\r\n-- Scope --\r\n\r\nThe aim of this document is to clearly define a MIME attachment evasion \r\nissue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] \r\n\r\n\r\n-- History --\r\n\r\nVendor notified: 03.03.03 \r\nUncoordinated vendor advisory released: 05.03.03\r\nDocument released: 06.03.03\r\n\r\nUnfortunately the release of this advisory has not followed a \r\nparticularly smooth path. The main reason for the rapid release schedule \r\nis due to an uncoordinated and unattributed advisory from Clearswift, \r\nreleased under their ThreatLab banner. Once this was made public, there \r\nseemed little point in delaying publishing the Corsaire advisory.\r\n\r\nFor the record, the sole response we have had from Clearswift in regard \r\nto this issue has been an apology from Pete Simpson (ThreatLab Manager) \r\nfor the unattributed release (received after we complained about the \r\nomission). Other than this, no one from Clearswift has responded to the \r\noriginal advisory, or any of the follow-up emails.\r\n\r\n\r\n-- Overview --\r\n\r\nThe MAILsweeper product provides policy based, email content security \r\nfunctionality. Part of this functionality allows the product to block \r\nattachments based on their specific content type.\r\n\r\nHowever, by using malformed MIME encapsulation techniques this \r\nfunctionality can be evaded.\r\n\r\n\r\n-- Analysis --\r\n\r\nThe attachment detection functionality works by recursively analysing \r\nthe email message body and attachments for container constructs (such as \r\nMIME), decoding these and then comparing the contents against a \r\npredefined policy.\r\n\r\nIf a deliberately malformed MIME encapsulation technique is used, then \r\nthe MAILsweeper product will not recognise the attachment and allows it \r\nto pass unhindered. \r\n\r\nHowever, not all client applications require strict standards compliance \r\nand some will happily accept and process the malformed attachment. \r\n\r\n\r\n-- Proof of concept --\r\n\r\nFor this proof of concept, the MIME encapsulation is simply modified to \r\nremove the MIME-Version header field. An example of an application that \r\nwill process a MIME construct that is malformed in this way is Microsoft \r\nInternet Explorer.\r\n\r\nWhilst RFC2045 states that all agents must include this field [2] it \r\nthen goes on to say that "In the absence of a MIME-Version field, a \r\nreceiving mail user agent (whether conforming to MIME requirements or \r\nnot) may optionally choose to interpret the body of the message \r\naccording to local conventions."\r\n\r\nStep 1: On the MAILsweeper host create a new Data Type Manager with only \r\nthe Executable type selected. Save and restart the MAILsweeper Security \r\nservice.\r\n\r\nStep 2: Now create a text file that will be used to hold the MIME \r\nencoded attachment. Start notepad (or another text editor), and paste \r\nin:\r\n\r\n MIME-Version: 1.0\r\n Content-Location:file:///executable.exe\r\n Content-Transfer-Encoding: base64\r\n\r\n TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/\r\n /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB\r\n gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw\r\n C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz\r\n YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ\r\n Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD\r\n h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf\r\n oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs\r\n 2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC\r\n ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY\r\n 29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n AAAAAAAAA=\r\n\r\nStep 3: To reproduce this issue, send an email containing the attachment \r\ncreated in step 2 that will be processed by the scenario from step 1. \r\nThis should result in a successful discovery condition. \r\n\r\nStep 4: Reopen the attachment from step 2 and remove the first line \r\n(MIME-Version: 1.0), then resend the attachment as per step 3. This \r\nshould result in the attachment not being spotted as an executable.\r\n\r\n\r\n-- Recommendations --\r\n\r\nTo be an effective tool, the MAILsweeper product must not only be able \r\nto process encoding techniques implemented as per the relevant standard, \r\nbut also common misinterpretations.\r\n\r\nAs an ongoing process, a study project should be undertaken by \r\nClearswift to identify applications that routinely decode MIME objects \r\nand have a liberal interpretation of the MIME standard. \r\n\r\nIn response to this advisory, Clearswift have produced an updated script \r\nutility that can detect the malformed MIME header used in this example \r\n[3]. This should be implemented until a more permanent solution is \r\nforthcoming.\r\n\r\n\r\n-- CVE --\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned\r\nthe name CAN-2003-0121 to this issue. This is a candidate for\r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes\r\nnames for security problems.\r\n\r\n\r\n-- References --\r\n\r\n[1] http://www.clearswift.com\r\n[2] http://www.rfc.net/rfc2045.html#s4.\r\n[3] http://www.clearswift.com/support/threatlab/vbstool.asp\r\n\r\n\r\n-- Revision --\r\n\r\na. Initial release.\r\nb. Minor revision.\r\nc. Added CVE reference.\r\nd. Added Clearswift script tool reference.\r\n\r\n\r\n-- Distribution --\r\n\r\nThis security advisory may be freely distributed, provided that it \r\nremains unaltered and in its original form. \r\n\r\n\r\n-- Disclaimer --\r\n\r\nThe information contained within this advisory is supplied "as-is" with \r\nno warranties or guarantees of fitness of use or otherwise. Corsaire \r\naccepts no responsibility for any damage caused by the use or misuse of \r\nthis information.\r\n\r\n\r\nCopyright 2003 Corsaire Limited. All rights reserved. \r\n", "edition": 1, "reporter": "Securityvulns", "published": "2003-03-09T00:00:00", "title": "Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:07", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0121"], "modified": "2003-03-09T00:00:00", "id": "SECURITYVULNS:DOC:4175", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4175", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:03", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\n[CVE-2003-0121](https://vulners.com/cve/CVE-2003-0121)\n", "reporter": "OSVDB", "published": "2003-03-07T00:00:00", "type": "osvdb", "title": "MAILsweeper Missing MIME-Version Scan Bypass", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2003-0121"], "modified": "2003-03-07T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8810", "id": "OSVDB:8810", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T18:31:43", "osvdbidlist": ["8810"], "references": [], "edition": 1, "description": "Clearswift MailSweeper 4.x Malformed MIME Attachment Filter Bypass Vulnerability. CVE-2003-0121. Remote exploit for windows platform", "reporter": "http-equiv", "published": "2003-03-07T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "Clearswift MailSweeper 4.x Malformed MIME Attachment Filter Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0121"], "modified": "2003-03-07T00:00:00", "id": "EDB-ID:22338", "href": "https://www.exploit-db.com/exploits/22338/", "sourceData": "source: http://www.securityfocus.com/bid/7044/info\r\n\r\nClearswift MailSweeper does not properly process certain malformed MIME email message attachments. If the attachment does not contain a MIME-Version field, MailSweeper does not recognize the attachment as being an executable type. MailSweeper allows such attachments through, even if it is set to filter executable type file attachments from incoming email messages.\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/22338.zip", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22338/"}]}
