Bypassing SMTP Content Protection with a Flick of a Button
11 Sep. 2002
Forget underground hacking tools. How about using Outlook Express as your attack platform?
Beyond Security's SecurITeam has discovered a new method of bypassing many SMTP-based content filter engines.
This discovery is alarming since it requires from the attacker nothing more than an Outlook Express client and employs a rarely-used feature called 'message fragmentation and re-assembly' that is available in Outlook Express. Using this feature, an attacker can send e-mails that will bypass most SMTP filtering engines including gateway Virus scanners, content filters, Firewalls that do SMTP checking, etc.
One of the least known features of Outlook Express allows Internet and Intranet users to split up sent messages. This allows slow connecting users to send smaller segments of a larger email in multiple emails, whereas the receiving client will automatically join them into a single message. This RFC documented feature called "Message Fragmentation and Reassembly" (RFC2046, section 188.8.131.52) allows anyone to bypass most of the security restrictions imposed on email messages, due to the fact that messages are spliced into smaller segments that will not be detected by virus scanners or other content testing mechanisms.
Any email filtering, virus checking, and content checking mechanism that is unable to assemble a fragmented email to its complete form.
This issue was assigned CAN-2002-1121.
The main idea behind the RFC 2046 message fragmentation is to enable users to send large files as several partial messages, while making it transparent to the recipient, who will receive a single message rather than multiple smaller files.
Fragmentation and Reassembly example:
If a binary attachment is broken into two pieces, the first piece might look something like this:
Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
Subject: First mail (part 1 of 2)
Content-type: message/partial; id="ABC@host.com";
Subject: Audio mail
And the second half might look something like this:
Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
Subject: Second mail (part 2 of 2)
id="ABC@host.com"; number=2; total=2
When the fragmented message is reassembled, the resulting message will look something of the sorts of:
Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
Since the emails traversing though the product will be the first email and the second email, and not the completed form, any product looking for the phrase "VIRUS SIGNATURE" will fail to detect the Virus, and the message will pass undetected. Similarly, if compressed files are involved, a product will try to decompress them in order to look into its content, but will be unable to do so since each email contains only a fragment of the compressed file.
Clients that support this feature with a "flick of a button" include Microsoft's Outlook Express, Microsoft Outlook 2000 (in 'Internet Only' mode), Gnus, an Emacs mail client and the metamail package.
These mail clients support an option that allows fully transparent fragmentation and reassembly of messages. The reassembly feature is enabled in Outlook Express by default, while the fragmentation feature is not. Note though, that it can be easily enabled by going to: Tools -> Accounts -> Choose your email account -> Advanced -> Sending / Break apart messages larger than [...].
Anyone wishing to bypass SMTP filtering engines can utilize the mentioned method to bypass most types of content checking, and deliver its payload to the end-client without any trouble, whether it is a Virus, Trojan or a file type that is not allowed by the corporate policy.
It seems that by embedding email footer (company disclaimer, privacy note, etc) to each outgoing email traversing though the content filter it is possible to completely hamper the effective usage of this attack. However, since this is an RFC documented feature that may be used in Outlook Express for legitimate purposes, this legitimate usage will be hampered as well.
A vendor solution to this vulnerability would be to include a reassembling agent at the server that will not allow any non-reassembled message to traverse through it.
Vendor response - Check Point: Neither the latest 4.1 nor the latest NG versions of FW-1 are vulnerable to this problem. A few details follow:
1. FW-1 does not directly analyze the body of attachments. In that respect, the vulnerability is not applicable to FW-1.
2. FW-1 has the capability to easily filter these types of messages, by specifying "message/partial" in the "Strip MIME of type:" section of the resource definition.
3. FW-1 does serve as a platform for third party vendors to check attachments for viruses via the "CVP" OPSEC mechanism. When defining a CVP server, a message box is presented to the administrator (when approving the resource) that says:
"When CVP server is used it is recommended to strip MIME of type 'message/partial'. Do you want to add 'message/partial'?"
Pressing "Yes" will automatically add 'message/partial' to the appropriate place in the resource definition.
We therefore believe is safe to say that not only are we not vulnerable to this problem ourselves, we also protect 3rd party opsec partners from falling for this pitfall.
Vendor response - GFI:
GFI MailSecurity for Exchange/SMTP 7.2 has been updated to detect this exploit as "fragmented message" through its email exploit detection engine and quarantines it at server level.
Vendor response - Symantec: Symantec has been aware for some time of the potential malicious use of this email feature. As a result, all currently supported Symantec gateway products, by default, block multi-part MIME messages at the gateway. While this is a configurable feature of Symantec gateway products and can be enabled if multi-part email is required, the rejection of segmented messages should be a part of a company's comprehensive security policy to restrict potentially harmful content from the internal network.
Additionally, should known malicious code be delivered to a client computer in this manner, the Symantec and Norton AntiVirus scanning products will detect it when it is reassembled and downloaded to the client computer and/or during attempted execution on the targeted computer. As always, if previously unknown malicious code is being distributed in this manner, Symantec Security Response will react and send updated virus definitions via LiveUpdate to detect the new threat.
Vendor response - TrendMicro: We have confirmed that our product InterScan VirusWall 3.5x for NT is affected by the vulnerability mentioned by Beyond Security Ltd. regarding fragmented e-mails. In order to resolve this problem, we have released a patch in order to address this particular concern for InterScan VirusWall for NT. The said patch can be downloaded from the following FTP server: ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/
The said hotfix is named:
The hotfix mentioned above contains a Readme file which should include the necessary instructions on how to apply the patch.
Our other mail gateway product, InterScan MSS v5.01 is not affected by this vulnerability provided that you apply the latest hotfixes which can be downloaded from our website at: www.antivirus.com/download
Vendor response - SonicWALL:
We could not assert whether SonicWALL is vulnerable to this attack and were unable to receive a response from SonicWALL despite several contact attempts.
Vendor response - Cisco:
The following response was received from Cisco's security contact on September 1st: We are still working on this issue, and I do not have the latest information. We will follow up in a few days.
Vendor response - Finjan Software: Finjan Software products are not vulnerable.
SurfinGate for E-Mail reassembles fragmented messages, and then performs security analysis and applies content management rules.
SurfinShield is installed on end users machines. It gets the reassembled message from the E-Mail client, and proactively monitors the behavior of active content included or attached to the E-Mail message.
Vendor response - NAI:
WebShield e250/e500 appliance (all versions)
All the individual parts of the fragmented MIME messages are scanned. The first part will be passed through if no evidence of a virus infection is found. Subsequent parts are discarded whether infected or not.
WebShield Solaris v4.1
Behaves as WebShield e250/e500 appliances (above)
WebShield SMTP 4.5 MR1a
WebShield SMTP will scan and pass fragmented MIME messages, and is therefore vulnerable to this threat. McAfee are working on a hotfix, scheduled for release at the beginning of October, that will enable the customer to choose to block multi-part MIME messages.
Security Solutions for customers using WebShield SMTP MR1a
Customers who use Outlook Express email clients and are concerned about this issue are advised that they should ensure that they utilize a multi-tiered virus protection strategy. McAfee VirusScan can be used to protect Outlook Express user systems; if any infected messages are opened by a Microsoft Outlook Express user, then VirusScan will immediately detect the malicious code and provide protection.
Vendor response - Marshal Software:
MailMarshal is vulnerable to this attack, unless executable files are configured to be blocked and thus the first fragment will be blocked and the message will be invalid. Further protection could be achieved by using MailMarshal to block all headers with the following entry:
> Content-Type: message/partial; <
The main risk, as I see it, is if you allow executables through, then your virus scanner will not have a complete executable to scan at the mail gateway. However this is overcome by blocking the header field as described above - this blocks these partial messages outright.
Vendor response - MicroWorld Technologies: MicroWorld is aware of the vulnerablity with respect to it's eScan and MailScan products.
The issue has been resolved and a patch will soon be put up on our web site for the following product areas:
eScan for Windows
MailScan for SMTP Servers
MailScan for Mail Servers.
Vendor response - PineApp Mail-SeCure: PineApp Mail-SeCure identifies fragmented messages, merges the parts and then applies policy as well as scans for viruses, spam checking, etc
The mail is processed only when all the parts compiles the full message. Mail-SeCure is able to identify nested fragmented messages and handle them as well.
About the nested issue: you can receive a message split in 3 parts, merge the parts, and then find out the merged one is part 2 of 5 of another message-split very dangerous though you must check the merged message all over again, Mail-SeCure detects the nested (like zip in zip) and protects your network from being affected by this exploit.
Vendor response - Alt-N Technologies' MDaemon:
Outlook Express has the ability to split messages with attachments over a certain size, and have them reconstructed on the recipient side.
With an attachment broken up it is, at this time, impossible for MDAV or any other AV
software that works with MDaemon to detect a virus in the attachments.
Under Setup | Content Filter you can create a rule that will remove these potentially malicious attachments (this is for MDaemon 6.0 and higher):
1) Create a new rule
2) Name the rule "strip message/partial"
3) For 'Select conditions for this rule', use "if the message has an attachment with a CONTENT-TYPE of..."
4) Click the 'specific content-type' and type in: message/partial
5) For 'Select actions for this rule', select "Copy Message to Folder".
6) For 'specify information', enter "c:\mdaemon\badmsgs\partial" or the other destination you'd like to use for such mail
7) For 'Select actions for this rule' select "Strip all attachments".
Vendor response - Praetor Praetor is not vulnerable to this attack. Using the default settings, Praetor will quarantine the first fragment that contains the attachment declaration; the remaining fragments are passed. Thus with the first fragment missing, re-assembly of the original malicious content will be prevented.
It is important to note that Praetor blocks only by content-type or attachment name filtering rather than virus signature.
We have received a response from CERT indicating that they have informed several vendors about the issue, but were unable to receive an updated status in the last few weeks. CERT is tracking this issue as VU#836088.