Home page logo
/

bugtraq logo Bugtraq mailing list archives

RE: SECURITY.NNOV: Bypassing content filtering software
From: "Aidan O'Kelly" <aidanokelly () oceanfree net>
Date: Mon, 18 Feb 2002 17:31:25 -0000

I was messing around with this kind of stuff a while back, theres a lot
of ways you can get past mail filtering systems, because most of them
wont emulate the exact behaviour of the e-mail clients, especaily if you
have multiple clients. Anyway, one of the most effective methods against
Outlook/Outlook express is to just name the file

eviltrojan."e"x"e 

Outlook/OE will just take the quotes out of the filename before its run.
I tested this on a couple mail filtering systems, and it will let the
file through.

I wrote a perl file to automagicly do it
http://packetstormsecurity.org/0107-exploits/attqt.pl

Of course most filtering systems will scan the file and recognize it as
a executable(PE) and disallow it(same goes for vbs/js files etc, they
usually look for very common VB or JS code) but Im sure they don't
recognize all executable content. (like .bat files?) (or encoded data as
mentioned in the advisrory)

One other thing, outlook/oe will sometimes give an attachment that has
no name a name, depending on the content-type, mostly all non-dangerous
types, ie if you have a wav attachment, but it has no filename (in the
MIME headers) but it has a content-type: audio/x-wav it will name it
ATT00xxx.wav
This will work with .hta files if you don't name them and give them
content-type=application/hta





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault