Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Clearswift MAILsweeper Multiple Encoding/Compression Issues

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Clearswift MAILsweeper Multiple Encoding/Compression Issues
Date: 15 Aug 2004 14:07:13 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Clearswift MAILsweeper Multiple Encoding/Compression Issues
------------------------------------------------------------------------


SUMMARY

The MAILsweeper product provides policy based, email content security 
functionality. Part of this functionality allows the product to block 
attachments based on the type of content (i.e. executable) or name of the 
attachment.

Encoding and compression technology is now commonly used to make the 
transfer of data by email more efficient. Due to this, it is essential 
that a product such as MAILsweeper can detect and analyze the content 
contained within, or at least "fail closed" if a positive identification 
cannot be made.

However, MAILsweeper does not detect a number of common compression 
formats (for which it is listed as compatible) and in certain 
circumstances also fails to identify the name of file attachments when 
they are encoded.

DETAILS

Vulnerable Systems:
 * Clearswift MAILsweeper version 4.3.14 and prior

Immune Systems:
 * Clearswift MAILsweeper version 4.3.15 or newer

Analysis:
The MAILsweeper attachment detection functionality works by recursively 
analyzing the email message body for container constructs (such as MIME 
and compressed archives etc.), decoding these and then comparing the 
contents against a predefined policy.

The current product  
<http://www.clearswift.com/products/msw/smtp/techspec.asp> spec sheet 
lists that the product is compatible with "ARJ (including self-extracting 
ARJ), GZip, RAR, TAR, PGP, LZH, LHA, CMP, ZIP (multiple variants), BinHex 
and CAB, MIME, UUE, TNEF, and binary". This is a subset of the available 
compression formats, but does cover the majority of those in common use.

For analysis purposes, a collection of the freely available compression 
tools was assembled. A sample executable file was then added to each 
container type and then these were passed through a MAILsweeper host 
configured with the latest available patches (CS MAILsweeper 4.3 for SMTP 
Hotfix 4.3.10 and Technology Update 1.4.10).

The results were as per the following table. Where version information for 
the archive tool was available, it is listed:
Encoding           Listed    Detected Content   Detected filenames

7ZIP (2.30) ........ No ........... No ................ No 
ACE (2.2) .......... No ........... No ................ No 
ARC (6.0) .......... No ........... No ................ No 
ARJ (2.81) ......... Yes .......... Yes ............... Yes 
BH ................. No ........... No ................ No 
BASE64 ............. No ........... Yes ............... n/a 
Binary ............. Yes .......... Yes ............... n/a 
BINHEX ............. Yes .......... Yes ............... No 
BZIP2 (1.0.2) ...... No ........... No ................ No 
CAB ................ Yes .......... Yes ............... Yes
CMP ................ Yes .......... Not tested ........ Not tested 
COMPRESS (4.2.4) ... No ........... Yes ............... Yes 
GZIP (1.2.4) ....... Yes .......... Yes ............... Yes 
HAP (3.05) ......... No ........... No ................ No 
HPK (.78a0) ........ No ........... No ................ No 
IMG ................ No ........... No ................ No 
JAR ................ No ........... Yes ............... Yes 
LHA (2.55e) ........ Yes .......... Yes ............... Yes 
LZH (1.13c) ........ Yes .......... Yes ............... Yes 
MIME ............... Yes .......... Yes ............... Yes 
PAK (2.51) ......... No ........... No ................ No 
PGP ................ Yes .......... Yes ............... Yes 
RAR (2.90) ......... Yes .......... Yes ............... Yes 
RAR (3.20) ......... Yes .......... No ................ No 
RAWRITE (0.7) ...... No ........... No ................ No 
DOS TAR (1.12) ..... Yes .......... As Undetermined ... As Undetermined
UNIX TAR (1.13) .... Yes .......... As Undetermined ... As Undetermined
TNEF ............... Yes .......... Yes ............... Yes 
UUE ................ Yes .......... Yes ............... n/a 
ZIP (2.04g) ........ Yes .......... Yes ............... Yes 
ZIP (6.0d) ......... Yes .......... As Undetermined ... As Undetermined
ZOO (2.1) .......... No ........... No ................ No

Note: The CMP compression format was not analyzed as the tool appears to 
be available on the Mac only and a suitable platform was not on hand 
during testing.

In summary:

 - There are a significant number of common formats that are not detected 
by MAILsweeper (most notably the newer formats like 7ZIP and ACE).
 - The TAR format that is listed as compatible doesn't seem to be 
supported, producing a "corrupt" error for all versions tested.
 - Several formats that are listed as compatible are actually version 
dependent (RAR and ZIP).
 - The BinHex (HQX) format is detected but it does not expose the  
filenames contained within to scrutiny.

The MAILsweeper product works from a starting position of allowing all 
content to pass, then specifically blocking undesirable attachments. By 
virtue of the encoding formats not being detected, the container and the 
contents are passed through the system without being analyzed.

Recommendations:
Clearswift have released the 4.3.15 Hotfix that corrects these issues. 
This should be applied to all existing installations where appropriate.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0928> 
CAN-2003-0928,  
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0929> 
CAN-2003-0929 and  
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0930> 
CAN-2003-0930.

History:
Discovered: 07.08.03
Vendor notified verbally: 26.08.03
Vendor notified in writing: 05.11.03
Vendor patch released: 05.08.04
Document released: 13.08.04

As per the normal process for dealing with Clearswift, after months of 
requesting a status update on these issues (without any response), the 
patches for these vulnerabilities have been released without any 
discussion or coordination with ourselves, and as is becoming the norm, 
completely un-attributed.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:martin.oneal@corsaire.com> 
Martin O'Neal.
The original article can be found at:  
<http://www.corsaire.com/advisories/c030807-001.txt> 
http://www.corsaire.com/advisories/c030807-001.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Clearswift MAILsweeper Multiple Encoding/Compression Issues, SecuriTeam <=
Previous by Date:  [UNIX] Adobe Acrobat Reader (UNIX) Shell Metacharacter Code Execution Vulnerability, SecuriTeam
Next by Date:  [EXPL] AIM aim:goaway URI Handler Buffer Overflow Exploit, SecuriTeam
Previous by Thread:  [UNIX] Adobe Acrobat Reader (UNIX) Shell Metacharacter Code Execution Vulnerability, SecuriTeam
Next by Thread:  [EXPL] AIM aim:goaway URI Handler Buffer Overflow Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]