COMMAND
	MAILsweeper MIME attachment evasion
SYSTEMS AFFECTED
	Clearswift MAILsweeper 4.x
PROBLEM
	
	-- Corsaire Security Advisory --
	Title: Clearswift MAILsweeper MIME attachment evasion issue
	Date: 03.03.03
	Application: Clearswift MAILsweeper 4.x
	Environment: Windows NT 4.0, Windows 2000, 
	Author: Martin O'Neal [[email protected]]
	Audience: General distribution
	-- Scope --
	The aim of this document is to clearly define a MIME attachment evasion 
	issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] 
	-- History --
	Vendor notified: 03.03.03 
	Uncoordinated vendor advisory released: 05.03.03
	Document released: 06.03.03
	Unfortunately the release of this advisory has not followed a 
	particularly smooth path. The main reason for the rapid release schedule 
	is due to an uncoordinated and unattributed advisory from Clearswift, 
	released under their ThreatLab banner. Once this was made public, there 
	seemed little point in delaying publishing the Corsaire advisory.
	For the record, the sole response we have had from Clearswift in regard 
	to this issue has been an apology from Pete Simpson (ThreatLab Manager) 
	for the unattributed release (received after we complained about the 
	omission). Other than this, no one from Clearswift has responded to the 
	original advisory, or any of the follow-up emails.
	
	-- Overview --
	The MAILsweeper product provides policy based,  email  content  security
	functionality. Part of this functionality allows the  product  to  block
	attachments based on their specific content type.
	However,  by  using  malformed  MIME   encapsulation   techniques   this
	functionality can be evaded.
	-- Analysis --
	The attachment detection functionality works  by  recursively  analysing
	the email message body and attachments for  container  constructs  (such
	as MIME), decoding these and  then  comparing  the  contents  against  a
	predefined policy.
	If a deliberately malformed MIME encapsulation technique is  used,  then
	the MAILsweeper product will not recognise the attachment and allows  it
	to pass unhindered.
	However,  not  all  client   applications   require   strict   standards
	compliance and some  will  happily  accept  and  process  the  malformed
	attachment.
	-- Proof of concept --
	For this proof of concept, the MIME encapsulation is simply modified  to
	remove the MIME-Version header field. An example of an application  that
	will process  a  MIME  construct  that  is  malformed  in  this  way  is
	Microsoft Internet Explorer.
	Whilst RFC2045 states that all agents must include  this  field  [2]  it
	then goes on to say that "In the absence  of  a  MIME-Version  field,  a
	receiving mail user agent (whether conforming to  MIME  requirements  or
	not) may  optionally  choose  to  interpret  the  body  of  the  message
	according to local conventions."
	Step 1: On the MAILsweeper host create a  new  Data  Type  Manager  with
	only the Executable type selected.  Save  and  restart  the  MAILsweeper
	Security service.
	Step 2: Now create a text file that  will  be  used  to  hold  the  MIME
	encoded attachment. Start notepad (or another text  editor),  and  paste
	in:
	
	     MIME-Version: 1.0
	     Content-Location:file:///executable.exe
	     Content-Transfer-Encoding: base64
	     TVp0AQIAAAAgAAgA//8YAIAAAAAQAAIAHgAAAAEAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAC4AQCO2I0WAgC0Cc0huCBMzSFFeGUhJCQJALH/
	     /////wAAAAAAAFQBAAAAAAIAUkKL6IzABRAADh+jBAADB
	     gwAjsCLDgYAi/lPi/f986RQuDQAUMuMw4zYSI7YjsC/Dw
	     C5EACw//OuR4v3i8NIjsC/DwCxBIvG99DT6IzaK9BzBIz
	     YK9LT4APwjtqLx/fQ0+iMwivQcwSMwCvS0+AD+I7CrIrQ
	     Tq2LyEaKwiT+PLB1BazzqusGPLJ1bfOkisKoAXSxvjIBD
	     h+LHgQA/DPSrYvI4xOLwgPDjsCti/iD//90ESYBHeLzgf
	     oA8HQWgcIAEOvcjMBAjsCD7xAmAR1IjsDr4ovDiz4IAIs
	     2CgAD8AEGAgAtEACO2I7AuwAA+o7Wi+f7i8Uu/y+0QLsC
	     ALkWAIzKjtq6HAHNIbj/TM0hUGFja2VkIGZpbGUgaXMgY
	     29ycnVwdAEAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	     AAAAAAAAA=
	
	Step  3:  To  reproduce  this  issue,  send  an  email  containing   the
	attachment created in step 2 that will  be  processed  by  the  scenario
	from step 1. This should result in a successful discovery condition.
	Step 4: Reopen the attachment from step 2  and  remove  the  first  line
	(MIME-Version: 1.0), then resend the attachment  as  per  step  3.  This
	should result in the attachment not being spotted as an executable.
SOLUTION
	-- Recommendations --
	To be an effective tool, the MAILsweeper product must not only  be  able
	to  process  encoding  techniques  implemented  as  per   the   relevant
	standard, but also common misinterpretations.
	As  an  ongoing  process,  a  study  project  should  be  undertaken  by
	Clearswift to identify applications that routinely decode  MIME  objects
	and have a liberal interpretation of the MIME standard.
	In response to  this  advisory,  Clearswift  have  produced  an  updated
	script utility that can detect the malformed MIME header  used  in  this
	example [3]. This should be implemented until a more permanent  solution
	is forthcoming.
	
	-- CVE --
	The Common Vulnerabilities and Exposures (CVE) project has assigned
	the name CAN-2003-0121 to this issue. This is a candidate for
	inclusion in the CVE list (http://cve.mitre.org), which standardizes
	names for security problems.
	-- References --
	[1] http://www.clearswift.com
	[2] http://www.rfc.net/rfc2045.html#s4.
	[3] http://www.clearswift.com/support/threatlab/vbstool.asp
	-- Revision --
	a. Initial release.
	b. Minor revision.
	c. Added CVE reference.
	d. Added Clearswift script tool reference.
	-- Distribution --
	This security advisory may be freely distributed, provided that it 
	remains unaltered and in its original form. 
	-- Disclaimer --
	The information contained within this advisory is supplied "as-is" with 
	no warranties or guarantees of fitness of use or otherwise. Corsaire 
	accepts no responsibility for any damage caused by the use or misuse of 
	this information.
	Copyright 2003 Corsaire Limited. All rights reserved.
	
	 Update (26 March 2003)
	 ======
	Martin O'Neal adds :
	As a follow to this, the vendor has now released  a  permanent  fix  for
	the product, which can be downloaded from:
	
	 http://www.clearswift.com/download/SQL/downloadList.asp?productID=301