[23308] in bugtraq
NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]
daemon@ATHENA.MIT.EDU (Jari Helenius)
Thu Nov 29 13:56:01 2001
Message-ID: <3C063D28.7090800@mawaron.com>
Date: Thu, 29 Nov 2001 15:50:32 +0200
From: Jari Helenius <jari.helenius@mawaron.com>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Reported to NAI first time 26.11.2001, again 27.11.2001 and every day
after that.
NAI response is at the end of this mail.
NAI WebShield SMTP for NT 4.5mr1a passes (at least in some
configurations) attachments
through without virus check or content filter check based on attachment
name. One such attachment is BadTrans virus.
ENVIROMENT
WinNT4srv, sp6a, secrollup + few other hotfix, WebShield for NT 4.5 or
4.5mr1a
this can be reproduced with fresh installation.
DESCRIPTION
Main problem is that mail (send by virus) containing BadTrans.b virus
will pass WebShield. Forwarding same mail outside will result positive
identification of BadTrans virus. If WebShield has content filter saying
all messages that has scr (or pif) in attachment name has to be blocked,
this rule does not apply either.
It seems that NAI WebShield SMTP for NT can't handle all mime headers
properly. One example is below. WebShield can't parse this and it does
not realize that message has attachment. And because it does not realize
there is attachment it won't check it for viruses or against attachment
name.
----SNIP----
Received: FROM xxx.xxx.xxx BY xxx.xxx.xxx ; Mon Nov 26 20:36:21 2001 +0200
Received: from xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:35428 "EHLO
xxx.xxx.xxx") by xxx.xxx.xxx with ESMTP id ;
Mon, 26 Nov 2001 16:01:32 +0200
Received: from xxx.xxx (xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx])
by xxx.xxx.xxx (8.11.4/8.11.2) with SMTP id fAQE1Rc16568
for ; Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Date: Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Message-Id: <200111261401.fAQE1Rc16568@xxx.xxx.xxx>
From: "BadMail"
To: j.doe@example.com
Subject: Re: CV
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
-------- Original Message --------
From: - Thu Nov 29 15:09:24 2001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
BCC: "jari.helenius" <jari.helenius@kolumbus.fi>
Message-ID: <3C063383.5090508@mawaron.com>
Date: Thu, 29 Nov 2001 15:09:23 +0200
From: Jari Helenius <jari.helenius@mawaron.com>
Organization: Mawaron Oy
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18)
Gecko/20001108 Netscape6/6.0
X-Accept-Language: en
MIME-Version: 1.0
To: vuldb@securityfocus.com
Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows
BadTrans to pass
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="NEWS_DOC.DOC.scr"
Content-Transfer-Encoding: base64
Content-ID:
*****ATTACHMENT REMOVED******
--====_ABC1234567890DEF_====
----SNIP----
FIXAROUND
Adding rule in content filter that says if you find mail containing
audio/x-wav
in body of message will stop those messages.
Virus is still not found, but messages will be blocked.
This will block also all other messages with audio/x-wav in text and all
messages that has mime header that WebShield does not understand.
OTHER INFORMATION
Needless to say, yes we have latest dat, latest engine, compress checks, all
heuristic on and so on...
It is sad to find out that AV vendor does not care problems they have.
In the other hand, what else can be expected from company that have
following policy.
If we find problems in our products or if we have hotfix,
we will not inform anyone what we have nor put these fixes available
(not even readme:s).
If a customer can describe problem that we have already fixed, we might
send fix to them if we are in good mood.
:-)
Yours
Jari Helenius
Mawaron Oy
jari.helenius@mawaron.com
NAI response and snip of my mail that they responded
NAI RESPONSE
---SNIP---
Dear Jari,
Thank you for the sample. We have determined that this is a known virus
which can be detected and removed.
There may be a problem with WebShield catching this virus.
The first thing we would suggest is to upgrade to 4173 DAT which has
improved detection capability.
If this doesn't help, we recommend that you get in touch with Technical
Support as this is a product issue and it does need to be addressed and
investigated.
The address to send this kind of issues to is: tech-support-europe@nai.com
---SNIP---
Part of my mail they responded to
---SNIP---
I know that this virus can be identified and removed with current dat.
(we are using WebShield SMTP 4.5mr1a with latest dat and engine and all
heuristic all attachments and compact options). If I forward received
mail that has this virus it will be found.
Problem is that Webshield does not recognize that mail has attachment.
It does not check it; it does not catch it in content filter. And if it
does not recognize that mail has attachment it does not stop this mail.
We have verified 12 passed viruses (all with similar headers), 5
deferred mails (when we stopped mail inside of our network and did let
webshield check incoming mails, sample was one of those mails.
---SNIP---
