JacK
September 13th, 2002, 07:41 AM
Hello,
The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Bypassing SMTP Content Protection with a Flick of a Button
------------------------------------------------------------------------
SUMMARY
Forget underground hacking tools. How about using Outlook Express as your
attack platform?
Beyond Security's SecurITeam has discovered a new method of bypassing many
SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing
more than an Outlook Express client and employs a rarely-used feature
called 'message fragmentation and re-assembly' that is available in
Outlook Express. Using this feature, an attacker can send e-mails that
will bypass most SMTP filtering engines including gateway Virus scanners,
content filters, Firewalls that do SMTP checking, etc.
DETAILS
One of the least known features of Outlook Express allows Internet and
Intranet users to split up sent messages. This allows slow connecting
users to send smaller segments of a larger email in multiple emails,
whereas the receiving client will automatically join them into a single
message. This RFC documented feature called "Message Fragmentation and
Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass most of the
security restrictions imposed on email messages, due to the fact that
messages are spliced into smaller segments that will not be detected by
virus scanners or other content testing mechanisms.
Possibly affected:
Any email filtering, virus checking, and content checking mechanism that
is unable to assemble a fragmented email to its complete form.
Technical details:
The main idea behind the RFC 2046 message fragmentation is to enable users
to send large files as several partial messages, while making it
transparent to the recipient, who will receive a single message rather
than multiple smaller files.
Cheers,
The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Bypassing SMTP Content Protection with a Flick of a Button
------------------------------------------------------------------------
SUMMARY
Forget underground hacking tools. How about using Outlook Express as your
attack platform?
Beyond Security's SecurITeam has discovered a new method of bypassing many
SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing
more than an Outlook Express client and employs a rarely-used feature
called 'message fragmentation and re-assembly' that is available in
Outlook Express. Using this feature, an attacker can send e-mails that
will bypass most SMTP filtering engines including gateway Virus scanners,
content filters, Firewalls that do SMTP checking, etc.
DETAILS
One of the least known features of Outlook Express allows Internet and
Intranet users to split up sent messages. This allows slow connecting
users to send smaller segments of a larger email in multiple emails,
whereas the receiving client will automatically join them into a single
message. This RFC documented feature called "Message Fragmentation and
Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass most of the
security restrictions imposed on email messages, due to the fact that
messages are spliced into smaller segments that will not be detected by
virus scanners or other content testing mechanisms.
Possibly affected:
Any email filtering, virus checking, and content checking mechanism that
is unable to assemble a fragmented email to its complete form.
Technical details:
The main idea behind the RFC 2046 message fragmentation is to enable users
to send large files as several partial messages, while making it
transparent to the recipient, who will receive a single message rather
than multiple smaller files.
Cheers,