Bypassing Content Filtering Software exploit

Discussion in 'other security issues & news' started by Paul Wilders, Feb 21, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Summary
    Flaws in several e-mail filtering products allow encoded emails that contain malicious attachments to bypass the filtering engines. The following is an exploit code that can be used by administrators to test their system for the mentioned vulnerabilities.


    Details
    There are many ways you can get past mail filtering systems, because most of them will not emulate the exact behavior of the e-mail clients, especially if you have multiple clients. One of the most effective methods against Outlook/Outlook express is to just name the file

    eviltrojan."e"x"e

    Outlook/OE will just take the quotes out of the filename before it's executed.

    Of course, most filtering systems will scan the file and recognize it as an executable(PE) and disallow it (same goes for VBS/JS files etc, they usually look for very common VB or JS code) but it is pretty obvious that they do not recognize all executable content (Like .bat files?) (Alternatively, encoded data as mentioned in the advisory).

    One other thing, Outlook/OE will sometimes give an attachment that has no name a name, depending on the content-type, mostly all non-dangerous types. I.e. if you have a wav attachment, but it has no filename (in the MIME headers) but it has a content-type: audio/x-wav it will name it ATT00xxx.wav. This will work with .hta files if you don't name them and give them content-type=application/hta

    Exploit: (deleted - forum admin)

    ------

    source: www.securiteam.com
     
Loading...
Thread Status:
Not open for further replies.