OE vulnerabilty

Discussion in 'other security issues & news' started by JacK, Sep 13, 2002.

Thread Status:
Not open for further replies.
  1. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    The following security advisory is sent to the securiteam mailing list, and can
    be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion



    Bypassing SMTP Content Protection with a Flick of a Button
    ------------------------------------------------------------------------


    SUMMARY

    Forget underground hacking tools. How about using Outlook Express as your
    attack platform?

    Beyond Security's SecurITeam has discovered a new method of bypassing many
    SMTP-based content filter engines.
    This discovery is alarming since it requires from the attacker nothing
    more than an Outlook Express client and employs a rarely-used feature
    called 'message fragmentation and re-assembly' that is available in
    Outlook Express. Using this feature, an attacker can send e-mails that
    will bypass most SMTP filtering engines including gateway Virus scanners,
    content filters, Firewalls that do SMTP checking, etc.

    DETAILS

    One of the least known features of Outlook Express allows Internet and
    Intranet users to split up sent messages. This allows slow connecting
    users to send smaller segments of a larger email in multiple emails,
    whereas the receiving client will automatically join them into a single
    message. This RFC documented feature called "Message Fragmentation and
    Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass most of the
    security restrictions imposed on email messages, due to the fact that
    messages are spliced into smaller segments that will not be detected by
    virus scanners or other content testing mechanisms.

    Possibly affected:
    Any email filtering, virus checking, and content checking mechanism that
    is unable to assemble a fragmented email to its complete form.

    Technical details:
    The main idea behind the RFC 2046 message fragmentation is to enable users
    to send large files as several partial messages, while making it
    transparent to the recipient, who will receive a single message rather
    than multiple smaller files.

    Cheers,
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Nice catch, JacK.

    Outlook Express..no comment :rolleyes:.

    regards.

    paul
     
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I am still using it ! ;)


    Technodrome
     
  4. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Is there a fix or workaround that doesn't involve Linux or a Mac?
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    [copy]Workaround:
    It seems that by embedding email footer (company disclaimer, privacy note,
    etc) to each outgoing email traversing though the content filter it is
    possible to completely hamper the effective usage of this attack. However,
    since this is an RFC documented feature that may be used in Outlook
    Express for legitimate purposes, this legitimate usage will be hampered as
    well.
    [/copy]

    Not tried yet but I think with a decent AV, once you click on the reassembled file, it should react.

    Cheers
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Oh well - at least I've now got a good reason to use a webmail account! Hotmail may not catch an emailed nasty but at least I'll receive it whole so that my own anti-nasties can check it out.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.