what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Corsaire Security Advisory 2003-08-04.2

Corsaire Security Advisory 2003-08-04.2
Posted Sep 15, 2004
Authored by Martin O'Neal, Corsaire | Site corsaire.com

Corsaire Security Advisory - There are a number of content security gateway and anti-virus products available that provide policy based security functionality. Part of this functionality allows the products to block embedded file attachments based on their specific content type, such as executables or those containing viruses. However, by using malformed MIME encapsulation techniques centered on the presence of multiple occurrences of fields, this functionality can be evaded.

tags | advisory, virus
advisories | CVE-2003-1014
SHA-256 | 861f18b0357c439502c07a12285b7d20b18584f5ea50adaee7fcfa7ffc20f5c2

Corsaire Security Advisory 2003-08-04.2

Change Mirror Download

-- Corsaire Security Advisory --

Title: Multiple vendor MIME field multiple occurrence issue
Date: 04.08.03
Application: various
Environment: various
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution
Reference: c030804-002


-- Scope --

The aim of this document is to clearly define a MIME content evasion
issue that affects a variety of products including; browsers, proxy
servers, email clients, content security gateways and antivirus
products.


-- History --

Discovered: 04.08.03 (Martin O'Neal)
CERT/CC notified: 18.08.03
NISCC notified: 24.10.03
Document released: 13.09.04

This advisory has been created from merging Corsaire advisories with
references c030804-001, c030806-001 and c030806-002.


-- Overview --

There are a number of content security gateway and antivirus products
available that provide policy based security functionality. Part of this
functionality allows the products to block embedded file attachments
based on their specific content type, such as executables or those
containing viruses. However, by using malformed MIME encapsulation
techniques centred on the presence of multiple occurrences of fields,
this functionality can be evaded.


-- Analysis --

The MIME standards are intended to provide a common mechanism to
exchange data between systems and are used extensively by protocols such
as HTTP and SMTP. The structure of a MIME message is defined in RFC2045
[1], which in turn makes use of concepts introduced in RFC822 [2]
(superseded by RFC2822 [3]).

The standards define a range of fields that control how data is encoded
within the transport, and how it should be interpreted by the receiving
agent. RFC822 states "This specification permits multiple occurrences of
most fields. Except as noted, their interpretation is not specified
here, and their use is discouraged."

As usual, this lack of clarity within an RFC has been interpreted in
various ways by the assorted vendors. For many products, such as email
clients and browsers, this scope for interpretation might only result in
some unreliable behaviour. However, for a collection of security
products, being unaware of the various ways that the standard has been
interpreted can lead to more serious results, as the products may fail
to detect a threat within the data stream.

When a receiving agent is presented with a MIME message that contains
multiple occurrences of a field, it tends to respond in one of four
broad ways:

- It identifies the MIME message as malformed and blocks it.
- It fails to interpret the MIME field (or message).
- It interprets the first occurrence of a field and ignores all those
that follow it.
- It interprets the last occurrence of a field and ignores all those
that precede it.

The first of the four would be the correct behaviour for a security
conscious product, but based on empirical research this is not the
common result.

The MIME field multiple occurrence issue has been observed to affect
most of the headers, parameters and values defined within the standard.
To use this issue as an attack mechanism, all that is required is to
identify a target that has a client agent that interprets the chosen
MIME field in a different way to any security products that protect it.


-- Recommendations --

To be effective tools, the security products must not only be able to
process encoding techniques implemented as per the relevant standard,
but also common misinterpretations and deliberate corruptions.

As an ongoing process, a study project should be undertaken by the
vendors to identify applications that routinely decode MIME objects and
have a liberal interpretation of the MIME standard.

NISCC have produced a document consolidating a number of vendor
statements on these issues [4]. Contact your vendor directly to
establish whether you are affected by these issues.


-- Background --

This issue was discovered using a custom SMTP/HTTP vulnerability
analysis tool developed by Corsaire's security assessment team. This
tool is not available publicly, but is an example of the specialist
approach used by Corsaire's consultants as part of a commercial security
assessment. To find out more about the cutting edge services provided by
Corsaire simply visit our web site at http://www.corsaire.com


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2003-1014 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardises
names for security problems.


-- References --

[1] http://www.faqs.org/rfcs/rfc2045.html
[2] http://www.faqs.org/rfcs/rfc822.html
[3] http://www.faqs.org/rfcs/rfc2822.html
[4] http://www.uniras.gov.uk/vuls/2004/380375/mime.htm


-- Revision --

a. Initial release.
b. Released.


-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com


Copyright 2003 Corsaire Limited. All rights reserved.
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close