-- Corsaire Security Advisory -- Title: Clearswift MAILsweeper multiple encoding/compression issues Date: 07.08.03 Application: Clearswift MAILsweeper prior to 4.3.15 Environment: Windows 2000 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c030807-001 -- Scope -- The aim of this document is to clearly define a MIME attachment evasion issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] -- History -- Discovered: 07.08.03 Vendor notified verbally: 26.08.03 Vendor notified in writing: 05.11.03 Vendor patch released: 05.08.04 Document released: 13.08.04 As per the normal process for dealing with Clearswift, after months of requesting a status update on these issues (without any response), the patches for these vulnerabilities have been released without any discussion or coordination with ourselves, and as is becoming the norm, completely unattributed. -- Overview -- The MAILsweeper product provides policy based, email content security functionality. Part of this functionality allows the product to block attachments based on the type of content (i.e. executable) or name of the attachment. Encoding and compression technology is now commonly used to make the transfer of data by email more efficient. Due to this, it is essential that a product such as MAILsweeper can detect and analyse the content contained within, or at least "fail closed" if a positive identification cannot be made. However, MAILsweeper does not detect a number of common compression formats (for which it is listed as compatible) and in certain circumstances also fails to identify the name of file attachments when they are encoded. -- Analysis -- The MAILsweeper attachment detection functionality works by recursively analysing the email message body for container constructs (such as MIME and compressed archives etc.), decoding these and then comparing the contents against a predefined policy. The current product spec sheet [2] lists that the product is compatible with "ARJ (including self-extracting ARJ), GZip, RAR, TAR, PGP, LZH, LHA, CMP, ZIP (multiple variants), BinHex and CAB, MIME, UUE, TNEF, and binary". This is a subset of the available compression formats, but does cover the majority of those in common use. For analysis purposes, a collection of the freely available compression tools was assembled. A sample executable file was then added to each container type and then these were passed through a MAILsweeper host configured with the latest available patches (CS MAILsweeper 4.3 for SMTP Hotfix 4.3.10 and Technology Update 1.4.10). The results were as per the following table. Where version information for the archive tool was available, it is listed: Encoding Listed Detected Content Detected filenames 7ZIP (2.30) ........ No ........... No ................ No ACE (2.2) .......... No ........... No ................ No ARC (6.0) .......... No ........... No ................ No ARJ (2.81) ......... Yes .......... Yes ............... Yes BH ................. No ........... No ................ No BASE64 ............. No ........... Yes ............... n/a Binary ............. Yes .......... Yes ............... n/a BINHEX ............. Yes .......... Yes ............... No BZIP2 (1.0.2) ...... No ........... No ................ No CAB ................ Yes .......... Yes ............... Yes CMP ................ Yes .......... Not tested ........ Not tested COMPRESS (4.2.4) ... No ........... Yes ............... Yes GZIP (1.2.4) ....... Yes .......... Yes ............... Yes HAP (3.05) ......... No ........... No ................ No HPK (.78a0) ........ No ........... No ................ No IMG ................ No ........... No ................ No JAR ................ No ........... Yes ............... Yes LHA (2.55e) ........ Yes .......... Yes ............... Yes LZH (1.13c) ........ Yes .......... Yes ............... Yes MIME ............... Yes .......... Yes ............... Yes PAK (2.51) ......... No ........... No ................ No PGP ................ Yes .......... Yes ............... Yes RAR (2.90) ......... Yes .......... Yes ............... Yes RAR (3.20) ......... Yes .......... No ................ No RAWRITE (0.7) ...... No ........... No ................ No DOS TAR (1.12) ..... Yes .......... As Undetermined ... As Undetermined UNIX TAR (1.13) .... Yes .......... As Undetermined ... As Undetermined TNEF ............... Yes .......... Yes ............... Yes UUE ................ Yes .......... Yes ............... n/a ZIP (2.04g) ........ Yes .......... Yes ............... Yes ZIP (6.0d) ......... Yes .......... As Undetermined ... As Undetermined ZOO (2.1) .......... No ........... No ................ No Note: The CMP compression format was not analysed as the tool appears to be available on the Mac only and a suitable platform was not on hand during testing. In summary: - There are a significant number of common formats that are not detected by MAILsweeper (most notably the newer formats like 7ZIP and ACE). - The TAR format that is listed as compatible doesn't seem to be supported, producing a "corrupt" error for all versions tested. - Several formats that are listed as compatible are actually version dependent (RAR and ZIP). - The BinHex (HQX) format is detected but it does not expose the filenames contained within to scrutiny. The MAILsweeper product works from a starting position of allowing all content to pass, then specifically blocking undesirable attachments. By virtue of the encoding formats not being detected, the container and the contents are passed through the system without being analysed. -- Recommendations -- Clearswift have released the 4.3.15 hotfix that corrects these issues. This should be applied to all existing installations where appropriate. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned Multiple numbers to this issue: CAN-2003-0928 Clearswift MAILsweeper RAR 3.20 container detection issue CAN-2003-0929 Clearswift MAILsweeper ZIP 6.0 container detection issue CAN-2003-0930 Clearswift MAILsweeper HQX container filename detection issue These are candidates for inclusion in the CVE list, which standardises names for security problems (http://cve.mitre.org). -- References -- [1] http://www.clearswift.com [2] http://www.clearswift.com/products/msw/smtp/techspec.asp -- Revision -- a. Initial release. b. Added CVE reference. c. Revised to include vendor patch. -- Distribution -- This security advisory may be freely distributed, provided that it remains unaltered and in its original form. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2003 Corsaire Limited. All rights reserved.