Re: NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]

[Paul L Schmehl <pauls () utdallas edu>]

I'd be real interested to know how you determined that the boundary field 
should be discarded.  According to the RFC you referenced, folding involves 
adding a LWSP-char after a CRLF.  Are you assuming that was missing?  And 
if you are, what are you basing that assumption on?

More to the point, it isn't WebShield's job to correctly parse headers. 
It's WebShield's job to detect and remove viral attachments.  If an 
incorrectly formed header is all it takes to bypass virus detection, then 
the virus writers will be screwing up their headers before this message 
gets cold.

This is most certainly a problem with WebShield, and NAI needs to fix it. 
They should be parsing for:

Content-Type: audio/x-wav;
name="NEWS_DOC.DOC.scr"
Content-Transfer-Encoding: base64

base64 decoding the content between the boundary markers and scanning the 
result to determine if it's viral.

After all, the idea behind a gateway scanner is to *protect* stupid email 
clients, not pass the problem off to them.

--On Friday, November 30, 2001 1:35 AM -0800 Joe Yandle 
<jwy () divisionbyzero com> wrote:
> This is not a bug in NAI WebShield, but rather a bug in any email
> client which parses this as a valid MIME message.  Read RFC 822,
> section 3.1.1, if you don't understand how to correctly fold
> email headers.  Since the 'boundary' field should be discarded,
> this email cannot be parsed for MIME attachments, and thus
> logically does not contain the virus.

Paul L. Schmehl, pauls () utdallas edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member