多个供应商EMAIL信息碎片SMTP过滤器可绕过漏洞

发布时间：2002-09-18
更新时间：2002-09-18
严重程度：高
威胁程度：隐蔽攻击
错误类型：设计错误
利用方式：客户机模式

BUGTRAQ ID：5696
CVE(CAN) ID：CAN-2002-1121

受影响系统

GFI MailSecurity for Exchange/SMTP 7.2
Network Associates WebShield SMTP 4.0.5
   - Microsoft Windows NT 4.0
Network Associates WebShield SMTP 4.5
   - Microsoft Windows 2000 Workstation
   - Microsoft Windows NT 4.0
Network Associates WebShield SMTP 4.5.44
   - Microsoft Windows NT 4.0
Network Associates WebShield SMTP 4.5.74 .0
   - Microsoft Windows NT 4.0
Roaring Penguin Software CanIt 1.2
Roaring Penguin Software MIMEDefang 2.14
Roaring Penguin Software MIMEDefang 2.20
Trend Micro InterScan VirusWall for Windows NT 3.5
   - Microsoft Windows NT 3.5
   - Microsoft Windows NT 3.5.1 SP1
   - Microsoft Windows NT 3.5.1 SP2
   - Microsoft Windows NT 3.5.1 SP3
   - Microsoft Windows NT 3.5.1 SP4
   - Microsoft Windows NT 3.5.1 SP5
Trend Micro InterScan VirusWall for Windows NT 3.51
   - Microsoft Windows NT 3.5
   - Microsoft Windows NT 3.5.1
   - Microsoft Windows NT 3.5.1 SP1
   - Microsoft Windows NT 3.5.1 SP2
   - Microsoft Windows NT 3.5.1 SP3
   - Microsoft Windows NT 3.5.1 SP4
   - Microsoft Windows NT 3.5.1 SP5
   - Microsoft Windows NT 4.0
   - Microsoft Windows NT 4.0 SP1
   - Microsoft Windows NT 4.0 SP2
   - Microsoft Windows NT 4.0 SP3
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
Trend Micro InterScan VirusWall for Windows NT 3.52
   - Microsoft Windows NT Enterprise Server 4.0
   - Microsoft Windows NT Enterprise Server 4.0 SP1
   - Microsoft Windows NT Enterprise Server 4.0 SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP3
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0
   - Microsoft Windows NT Server 4.0 SP1
   - Microsoft Windows NT Server 4.0 SP2
   - Microsoft Windows NT Server 4.0 SP3
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Terminal Server 4.0
   - Microsoft Windows NT Terminal Server 4.0 alpha
   - Microsoft Windows NT Terminal Server 4.0 SP1
   - Microsoft Windows NT Terminal Server 4.0 SP2
   - Microsoft Windows NT Terminal Server 4.0 SP3
   - Microsoft Windows NT Terminal Server 4.0 SP4
   - Microsoft Windows NT Terminal Server 4.0 SP5
   - Microsoft Windows NT Terminal Server 4.0 SP6
   - Microsoft Windows NT Terminal Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0
   - Microsoft Windows NT Workstation 4.0 SP1
   - Microsoft Windows NT Workstation 4.0 SP2
   - Microsoft Windows NT Workstation 4.0 SP3
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a

详细描述
如果单个EMAIL信息拆分成多个分片形式发送，就可以绕过SMTP内容过滤器的过滤，因为SMTP过滤不能重新组合分片的EMAIL。

OUTLOOK EXPRESS允许Internet和Intranet用户把发送信息分开，这为了允许慢连接用户在多个邮件中发送大型信息，接收到的客户端却能重新组合成一个邮件，在RFC文档中成为"Message Fragmentation and Reassembly" (RFC2046, section 5.2.2.1)，不过这允许绕过一些EMAIL安全检查，这样任何对邮件的病毒扫描，内容过滤就有可能被绕过。

测试代码
如一个两进制附件改成两部分：

-Weird-Header-1: Foo
     From: Bill@host.com
     To: joe@otherhost.com
     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
     Subject: First mail (part 1 of 2)
     Message-ID:
     MIME-Version: 1.0
     Content-type: message/partial; id="ABC@host.com";
                   number=1; total=2

     X-Weird-Header-1: Bar
     X-Weird-Header-2: Hello
     Message-ID:
     Subject: Audio mail
     MIME-Version: 1.0
     Content-type: application/binary
     Content-transfer-encoding: base64

       VIRUS

第二部分如下：

From: Bill@host.com
     To: joe@otherhost.com
     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
     Subject: Second mail (part 2 of 2)
     MIME-Version: 1.0
     Message-ID:
     Content-type: message/partial;
                   id="ABC@host.com"; number=2; total=2

       SIGNATURE

当信息重新组合后，就如下所示：

X-Weird-Header-1: Foo
     From: Bill@host.com
     To: joe@otherhost.com
     Date: Fri, 26 Mar 1993 12:59:38 -0500 (EST)
     Subject: Mail
     Message-ID:
     MIME-Version: 1.0
     Content-type: application/binary
     Content-transfer-encoding: base64

       VIRUS
       SIGNATURE

解决方案
Roaring Penguin Software MIMEDefang用户可以增加如下过滤规则和filter_multipart routines: # Block message/partial parts if (lc($type) eq "message/partial") { action_quarantine_entire_message(); action_notify_administrator("Message quarantined because of message/partial type"); return action_discard(); }

部分供应商产品升级：

GFI MailSecurity for Exchange/SMTP 7.2:
Network Associates WebShield SMTP 4.0.5:
Network Associates WebShield SMTP 4.5:
Network Associates WebShield SMTP 4.5.44:
Network Associates WebShield SMTP 4.5.74 .0:
Roaring Penguin Software CanIt 1.2:
Roaring Penguin Software MIMEDefang 2.14:

Roaring Penguin Software Patch MIME-tools-5.411a-RP-Patched.tar.gz
http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz

Roaring Penguin Software MIMEDefang 2.20:

Roaring Penguin Software Patch MIME-tools-5.411a-RP-Patched.tar.gz
http://www.roaringpenguin.com/mimedefang/MIME-tools-5.411a-RP-Patched.tar.gz

Trend Micro InterScan VirusWall for Windows NT 3.5:
Trend Micro InterScan VirusWall for Windows NT 3.51:
Trend Micro InterScan VirusWall for Windows NT 3.52:

Trend Micro Hotfix Hotfix_build1494_v352_Smtp_case6593.zip
ftp://ftp-download.trendmicro.com.ph/Gateway/ISNT/3.52/Hotfix_build1494_v352_Smtp_case6593.zip

相关信息
Aviram Jenik <aviram@beyondsecurity.com>.
参考：http://online.securityfocus.com/archive/1/291514
http://online.securityfocus.com/archive/1/291547
http://online.securityfocus.com/archive/1/291531
http://online.securityfocus.com/archive/1/291719
http:

最近严重漏洞

多个供应商EMAIL信息碎片SMTP过滤器可绕过漏洞