Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass
From: Gadi Evron <ge () linuxbox org>
Date: Thu, 7 Dec 2006 06:30:49 -0600 (CST)

On Wed, 6 Dec 2006, Hendrik Weimer wrote:
Several e-mail virus scanners can be tricked into passing an EICAR
test file if the following conditions are met:

1. the EICAR file is encoded in Base64 including characters not in the
   standard alphabet (e.g. whitespaces) and
2. the part containing the EICAR file is nested within one or several
   levels of multipart/mixed content.

Victor Duchovni agreed for me to post what he employs to avoid such
issues. This is in some ways similar to a limited application firewall for
SMTP, which is not spam specific and MIME only. Yes, I know, SMTP
application firewalls are the 4th buzzword down the road, give it a couple 
of years.

Victor's information:

I have a MIME normalizer in front of the A/V engine. Non-conformant
Base64 entities are made conformant or neutered (super-encoded via QP
so that the user receives the base64 text itself as the entity payload).

--------
    In:
            CT: application/octet-stream
            CD: attachment; filename=foo.dat
            CTE: base64

            AA AA

    Out:
            CT: application/octet-stream
            CD: attachment; filename=foo.dat
            CTE: base64

            AAAA
--------
    In:
            CT: application/octet-stream
            CD: attachment; filename=foo.dat
            CTE: base64

            AA<Ctrl-A>AA

    Out:
            CT: text/plain
            CD: attachment; filename=mime-source.txt
            CTE: quoted-printable

            =20AA=01AA
--------

Solves all such problems before the vulnerability is found in the
A/V engine.

The MIME normalizer does more, defending other possible
bypass scenarios, but I not able to describe the full feature-set
at this time. It was written and deployeed in Dec 1999.
--- End quote.

All the above is Viktor's.

        Gadi Evron.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault