Bugtraq mailing list archives

Re: NAI WebShield SMTP does not scan base64 encoding

From: chris.paget () ANALYSYS COM (chris.paget () ANALYSYS COM)
Date: Tue, 20 Jun 2000 18:52:28 GMT


MS-TNEF is not used at any point in the process; neither is Outlook,
nor Rich Text.  The messages are plain text (a renamed copy of my
autoexec.bat) being sent using Forte Agent - nothing Microsoft.  The
MIME types I have tried include application/octet-stream and
text/plain - in neither case is the VBS / SHS file blocked.  The only
difference that I can see between this setup and another machine using
Outlook (from which messages get blocked) is the encoding type -
base64 instead of 8bit.
If the attachment is indeed a known virus, it appears to be detected
and cleaned; however, I am trying to block ALL potentially malicious
attachments, and base64 encoding appears to circumvent those checks.

Chris

-- 
Chris Paget
Software Engineer, Analysys LTD.

chris.paget () analysys com
mad.nutter () mindless com

On Tue, 20 Jun 2000 14:37:46 -0400, you wrote:

Chris,
This problem is not caused by base64 encoding. It is caused by the message
being encoded in MS-TNEF (Microsoft Transport Neutral Encapsulation Format.)
and then getting base64 encoded. MS-TNEF is used when Outlook sends Rich
Text information over the Internet.

NAI knows that this is a problem but they have been unable to fix it. Here's
my message to NAI and their response.
-------------------------------
              -----Original Message-----
              From:   Jon
              Sent:   Tuesday, May 09, 2000 7:55 PM
              To:     Fronck, Destry
              Subject:        RE: Webshield smtp 4.03 virus gateway

              Destry,

                      I talked to the Webshield guys and they said you are
completely correct. Not only that but NO company can scan those files
including ours. They did provide an article that may be of help to you.

               <<WebShield_MS-TNEF.doc>> 

              Thanks

              
              Jon
              --------------------------------------
              Network Associates
              Who's watching your network?
              -------------------------------------

                               -----Original Message-----
                              From:   Fronck, Destry
[mailto:DFronck () FDIC gov] 
                              Sent:   Monday, May 08, 2000 7:38 AM
                              To:     Jon
                              Cc:     FDIC-CSIRT
                              Subject:        Webshield smtp 4.03 virus
gateway
                              Importance:     High

                              Jon, I have discovered a problem with the
WebShield smtp 4.03 virus gateway for NT. We have had several instances of
the ILOVEYOU virus getting past the virus gateway. All of these were
detected by the VShield 4.03 desktop scanner. Both products are running the
same dat files; 4076 and the latest extra.dat.

                              The problem is that the gateway does not
appear to scan MS-TNEF (Microsoft Transport Neutral Encapsulated Format)
content. This content is typically encapsulated in MIME like so

                              ------_=_NextPart_000_01BFB8C1.7FC25C8A
                              Content-Type: application/ms-tnef
                              Content-Transfer-Encoding: base64

                              Can you verify this?
                              Does WebShield 4.5 fix this? Can you verify
this?

                              Thanks,
                               Destry Fronck
-----------------------------------------------
Thanks,
Destry Fronck

-----Original Message-----
From:  chris.paget () ANALYSYS COM [mailto:chris.paget () ANALYSYS COM]
Sent:  Tuesday, June 20, 2000 9:08 AM
To:    BUGTRAQ () SECURITYFOCUS COM
Subject:       NAI WebShield SMTP does not scan base64 encoding

While investigating todays virus outbreak (Stages.Worm), I noticed
that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
DAT 4.0.4082, 14/06/00) was not picking up all attachments.  
The server is configured to block all SHS, VBS, etc attachments, and
notify the sender.  However, when these are sent as Base64 encoding
(rather than 8-bit), they are passed by the server, and could
potentially infect the network.  8-bit attachments are successfully
scanned (and blocked if necessary).

Chirs

Current thread:

Re: NAI WebShield SMTP does not scan base64 encoding Fronck, Destry (Jun 20)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 20)
- BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Juancho Forlanda (Jun 20)
  - BEA WebLogic /file/ showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 20)
  - Re: BlackICE by Network ICE Corp vulnerability against Back Orifice 1.2 Mike DeMaria (Jun 21)
- <Possible follow-ups>
- Re: NAI WebShield SMTP does not scan base64 encoding Sato, Ken (Jun 20)
  - Microsoft Security Bulletin MS00-038 Update Microsoft Product Security (Jun 20)
  - rh 6.2 - gid compromises, etc Michal Zalewski (Jun 21)
    - Immunix OS 6.2 (StackGuarded Red Hat 6.2) Crispin Cowan (Jun 21)
    - Warning regarding new kernel RPMs Joseph V Moss (Jun 21)
    - Re: Warning regarding new kernel RPMs Dave Walter (Jun 22)
    - Re: rh 6.2 - gid compromises, etc [+ MORE!!!] Stan Bubrouski (Jun 21)

(Thread continues...)