COMMAND

	
		Bypassing SMTP Content Protection with Outlook
	
	

SYSTEMS AFFECTED

	
		Possibly affected:
		

		Any email filtering, virus  checking,  and  content  checking  mechanism
		that is unable to assemble a fragmented email to its complete form.
	
	

PROBLEM

	
		Forget underground hacking tools. How about  using  Outlook  Express  as
		your attack platform?
		

		Beyond Security's SecurITeam has discovered a new  method  of  bypassing
		many SMTP-based content  filter  engines.  This  discovery  is  alarming
		since it requires  from  the  attacker  nothing  more  than  an  Outlook
		Express  client  and  employs  a  rarely-used  feature  called  'message
		fragmentation and re-assembly' that is  available  in  Outlook  Express.
		Using this feature, an attacker can send e-mails that will  bypass  most
		SMTP  filtering  engines  including  gateway  Virus  scanners,   content
		filters, Firewalls that do SMTP checking, etc.
		

		DETAILS
		

		One of the least known features of Outlook Express allows  Internet  and
		Intranet users to split up sent messages. This  allows  slow  connecting
		users to send smaller segments of a larger  email  in  multiple  emails,
		whereas the receiving client will automatically join them into a  single
		message. This RFC documented feature called "Message  Fragmentation  and
		Reassembly" (RFC2046, section 5.2.2.1) allows anyone to bypass  most  of
		the security restrictions imposed on email messages,  due  to  the  fact
		that messages are  spliced  into  smaller  segments  that  will  not  be
		detected by virus scanners or other content testing mechanisms.
		

		Technical details:
		

		The main idea behind the RFC 2046 message  fragmentation  is  to  enable
		users to send large files as several partial messages, while  making  it
		transparent to the recipient, who will receive a single  message  rather
		than multiple smaller files.
		

		Fragmentation and Reassembly example: If a binary attachment  is  broken
		into two pieces, the first piece might look something like this:
		

		     X-Weird-Header-1: Foo

		     From: Bill@host.com

		     To: joe@otherhost.com

		     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)

		     Subject: First mail (part 1 of 2)

		     Message-ID: 

		     MIME-Version: 1.0

		     Content-type: message/partial; id="ABC@host.com";

		                   number=1; total=2

		

		     X-Weird-Header-1: Bar

		     X-Weird-Header-2: Hello

		     Message-ID: 

		     Subject: Audio mail

		     MIME-Version: 1.0

		     Content-type: application/binary

		     Content-transfer-encoding: base64

		

		       VIRUS

		

		And the second half might look something like this:
		

		     From: Bill@host.com

		     To: joe@otherhost.com

		     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)

		     Subject: Second mail (part 2 of 2)

		     MIME-Version: 1.0

		     Message-ID: 

		     Content-type: message/partial;

		                   id="ABC@host.com"; number=2; total=2

		

		       SIGNATURE

		

		When the fragmented message is reassembled, the resulting  message  will
		look something of the sorts of:
		

		     X-Weird-Header-1: Foo

		     From: Bill@host.com

		     To: joe@otherhost.com

		     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)

		     Subject: Mail

		     Message-ID: 

		     MIME-Version: 1.0

		     Content-type: application/binary

		     Content-transfer-encoding: base64

		

		       VIRUS

		       SIGNATURE

		

		Since the emails traversing though the product will be the  first  email
		and the second email, and not the completed form,  any  product  looking
		for the phrase "VIRUS SIGNATURE" will fail to detect the Virus, and  the
		message  will  pass  undetected.  Similarly,  if  compressed  files  are
		involved, a product will try to decompress them in order  to  look  into
		its content, but will be unable to do so since each email contains  only
		a fragment of the compressed file.
		

		So far, the only client that we found to support  this  feature  with  a
		"flick of a button" is Microsoft's Outlook  Express.  This  mail  client
		supports an option  that  allows  fully  transparent  fragmentation  and
		reassembly of messages. The reassembly feature is  enabled  by  default,
		while the fragmentation feature is not. Note  though,  that  it  can  be
		easily enabled by going to: Tools  ->  Accounts  ->  Choose  your  email
		account -> Advanced ->  Sending  /  Break  apart  messages  larger  than
		[...]. No other mail  client  we  have  checked  supports  this  feature
		including Microsoft Outlook. However, Outlook Express is widely used  in
		both Cooperate and  Home  environments  making  this  issue  a  possible
		high-risk situation.
	
	

SOLUTION

	
		 Workaround

		 ==========

		

		It seems that by embedding email  footer  (company  disclaimer,  privacy
		note, etc) to each outgoing email traversing though the  content  filter
		it is possible to completely hamper the effective usage of this  attack.
		However, since this is an RFC documented feature that  may  be  used  in
		Outlook Express for legitimate purposes, this legitimate usage  will  be
		hampered as well.
		

		A  vendor  solution  to  this  vulnerability  would  be  to  include   a
		reassembling  agent  at   the   server   that   will   not   allow   any
		non-reassembled message to traverse through it.
		

		

		Vendor response - Check Point:

		

		"Neither the  latest  4.1  nor  the  latest  NG  versions  of  FW-1  are
		vulnerable to this problem. A few details follow:
		

		1. FW-1 does not directly analyze  the  body  of  attachments.  In  that
		respect, the vulnerability is not applicable to FW-1.
		

		2. FW-1 has the capability to easily filter these types of messages,  by
		specifying "message/partial" in the "Strip MIME  of  type:"  section  of
		the resource definition.
		

		3. FW-1 does serve as a  platform  for  third  party  vendors  to  check
		attachments for viruses via the "CVP" OPSEC mechanism. When  defining  a
		CVP server, a message  box  is  presented  to  the  administrator  (when
		approving the resource) that says:
		

		"When CVP server is used  it  is  recommended  to  strip  MIME  of  type
		'message/partial'. Do you want to add 'message/partial'?"
		

		Pressing  "Yes"  will  automatically  add   'message/partial'   to   the
		appropriate place in the resource definition.
		

		We therefore believe is safe to say that not only are we not  vulnerable
		to this problem ourselves, we also  protect  3rd  party  opsec  partners
		from falling for this pitfall."
		

		

		Vendor response - GFI:

		

		GFI MailSecurity for Exchange/SMTP 7.2 has been updated to  detect  this
		exploit as "fragmented message"  through  its  email  exploit  detection
		engine and quarantines it at server level.
		

		GFI patch URL: GFI's latest version  of  MailSecurity  for  Exchange  is
		patched against this problem. For more information, see:
		

		http://www.gfi.com/mailsecurity/

		

		

		Vendor response - Symantec:

		

		"Symantec has been aware for some time of the  potential  malicious  use
		of this email feature. As a result,  all  currently  supported  Symantec
		gateway products, by default, block  multi-part  MIME  messages  at  the
		gateway. While this  is  a  configurable  feature  of  Symantec  gateway
		products and can  be  enabled  if  multi-part  email  is  required,  the
		rejection of  segmented  messages  should  be  a  part  of  a  company's
		comprehensive security policy to restrict  potentially  harmful  content
		from the internal network.
		

		Additionally, should known malicious  code  be  delivered  to  a  client
		computer in this manner, the  Symantec  and  Norton  AntiVirus  scanning
		products will detect it when it is reassembled  and  downloaded  to  the
		client computer  and/or  during  attempted  execution  on  the  targeted
		computer. As always, if  previously  unknown  malicious  code  is  being
		distributed in this manner, Symantec Security Response  will  react  and
		send  updated  virus  definitions  via  LiveUpdate  to  detect  the  new
		threat."
		

		A full formal response from Symantec should be shortly available at:
		

		http://securityresponse.symantec.com/avcenter/security/SymantecAdvisories.html

		

		(Under "Multiple SMTP bypass")
		

		

		Vendor response - TrendMicro:

		

		"We have confirmed that our product InterScan VirusWall 3.5x for  NT  is
		affected  by  the  vulnerability  mentioned  by  Beyond  Security   Ltd.
		regarding fragmented e-mails. In order to resolve this problem, we  have
		released a patch  in  order  to  address  this  particular  concern  for
		InterScan VirusWall for NT. The said patch can be  downloaded  from  the
		following FTP server:
		

		ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/

		

		The said hotfix is named:
		

		Hotfix_build1494_v352_Smtp_case6593.zip

		

		The hotfix mentioned above contains a Readme file which  should  include
		the necessary instructions on how to apply the patch.
		

		Our other mail gateway product, InterScan MSS v5.01 is not  affected  by
		this vulnerability provided that you apply  the  latest  hotfixes  which
		can be downloaded from our website at:
		

		http://www.antivirus.com/download

		

		

		

		Vendor response - SonicWALL:

		

		We could not assert whether SonicWALL is vulnerable to this  attack  and
		were unable  to  receive  a  response  from  SonicWALL  despite  several
		contact attempts.
		

		

		Vendor response - NAI:

		

		We could not assert whether any of NAI's products is vulnerable to  this
		attack and were unable to receive a response from  NAI  despite  several
		contact attempts.
		

		

		Vendor response - Cisco:

		

		The following response was received from  Cisco's  security  contact  on
		September 1st: "We are still working on this issue, and I  do  not  have
		the latest information.  We will follow up in a few days."
		

		

		CERT:

		

		We have  received  a  response  from  CERT  indicating  that  they  have
		informed several vendors about the issue, but were unable to receive  an
		updated status in the last few weeks. CERT is  tracking  this  issue  as