OE vulnerabilty

Hello,

The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion



Bypassing SMTP Content Protection with a Flick of a Button
------------------------------------------------------------------------


SUMMARY

Forget underground hacking tools. How about using Outlook Express as your
attack platform?

Beyond Security's SecurITeam has discovered a new method of bypassing many
SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing
more than an Outlook Express client and employs a rarely-used feature
called 'message fragmentation and re-assembly' that is available in
Outlook Express. Using this feature, an attacker can send e-mails that
will bypass most SMTP filtering engines including gateway Virus scanners,
content filters, Firewalls that do SMTP checking, etc.

DETAILS

One of the least known features of Outlook Express allows Internet and
Intranet users to split up sent messages. This allows slow connecting
users to send smaller segments of a larger email in multiple emails,
whereas the receiving client will automatically join them into a single
message. This RFC documented feature called "Message Fragmentation and
Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass most of the
security restrictions imposed on email messages, due to the fact that
messages are spliced into smaller segments that will not be detected by
virus scanners or other content testing mechanisms.

Possibly affected:
Any email filtering, virus checking, and content checking mechanism that
is unable to assemble a fragmented email to its complete form.

Technical details:
The main idea behind the RFC 2046 message fragmentation is to enable users
to send large files as several partial messages, while making it
transparent to the recipient, who will receive a single message rather
than multiple smaller files.

Cheers,

 

I am still using it !


Technodrome

 

Is there a fix or workaround that doesn't involve Linux or a Mac?

 

[copy]Workaround:
It seems that by embedding email footer (company disclaimer, privacy note,
etc) to each outgoing email traversing though the content filter it is
possible to completely hamper the effective usage of this attack. However,
since this is an RFC documented feature that may be used in Outlook
Express for legitimate purposes, this legitimate usage will be hampered as
well.
[/copy]

Not tried yet but I think with a decent AV, once you click on the reassembled file, it should react.

Cheers

 

Oh well - at least I've now got a good reason to use a webmail account! Hotmail may not catch an emailed nasty but at least I'll receive it whole so that my own anti-nasties can check it out.