Bypassing Content Filtering Software exploit

Summary
Flaws in several e-mail filtering products allow encoded emails that contain malicious attachments to bypass the filtering engines. The following is an exploit code that can be used by administrators to test their system for the mentioned vulnerabilities.


Details
There are many ways you can get past mail filtering systems, because most of them will not emulate the exact behavior of the e-mail clients, especially if you have multiple clients. One of the most effective methods against Outlook/Outlook express is to just name the file

eviltrojan."e"x"e

Outlook/OE will just take the quotes out of the filename before it's executed.

Of course, most filtering systems will scan the file and recognize it as an executable(PE) and disallow it (same goes for VBS/JS files etc, they usually look for very common VB or JS code) but it is pretty obvious that they do not recognize all executable content (Like .bat files?) (Alternatively, encoded data as mentioned in the advisory).

One other thing, Outlook/OE will sometimes give an attachment that has no name a name, depending on the content-type, mostly all non-dangerous types. I.e. if you have a wav attachment, but it has no filename (in the MIME headers) but it has a content-type: audio/x-wav it will name it ATT00xxx.wav. This will work with .hta files if you don't name them and give them content-type=application/hta

Exploit: (deleted - forum admin)

------

source: www.securiteam.com