Bugtraq mailing list archives
Re: NAI WebShield SMTP does not scan base64 encoding
From: andre.albsmeier () MCHP SIEMENS DE (Andre Albsmeier)
Date: Wed, 21 Jun 2000 14:36:34 +0200
On Tue, 20-Jun-2000 at 17:10:42 -0400, Sato, Ken wrote:
Chris, Destry, Yes, I've had the same problem too. Because MS is too selfish to release the precise specs on the MS-TNEF encoding scheme, NAI is unable to write a reliable API to decode MS-TNEF.
Hmm, there is a tool on the internet called fentum that decodes MS-TNEF stuff under Unix. The author said, he wrote it based on some docs from M$. But, interestingly, the fentum.com domain doesn't exist anymore. Maybe the M$ people jumped in there and said "Stop that". Wouldn't surprise me :-( -Andre
The work around for this is to install Groupshield for exchange. Groupshield is installed at the mail servers, so the MS-TNEF is stripped by the MS-Exchange before Groupshield scans the files. Rgds, +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Ken, Information Security-----Original Message----- From: Fronck, Destry [mailto:DFronck () FDIC GOV] Sent: Tuesday, June 20, 2000 2:38 PM To: BUGTRAQ () securityfocus com Subject: Re: NAI WebShield SMTP does not scan base64 encoding Chris, This problem is not caused by base64 encoding. It is caused by the message being encoded in MS-TNEF (Microsoft Transport Neutral Encapsulation Format.) and then getting base64 encoded.~snip snip-----Original Message----- From: chris.paget () ANALYSYS COM [mailto:chris.paget () ANALYSYS COM] Sent: Tuesday, June 20, 2000 9:08 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: NAI WebShield SMTP does not scan base64 encoding While investigating todays virus outbreak (Stages.Worm), I noticed that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50, DAT 4.0.4082, 14/06/00) was not picking up all attachments. The server is configured to block all SHS, VBS, etc attachments, and notify the sender. However, when these are sent as Base64 encoding (rather than 8-bit), they are passed by the server, and could potentially infect the network. 8-bit attachments are successfully scanned (and blocked if necessary). Chirs
Current thread:
- [SECURITY] New Debian wu-ftpd packages released, (continued)
- [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Andrea Costantino (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Helmethead (Jun 29)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
- Security Update: wu-ftpd vulnerability Technical Support (Jun 23)
- Re: NAI WebShield SMTP does not scan base64 encoding Andre Albsmeier (Jun 21)
- Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris & Linux Keith A. Watson (Jun 21)
- NetBSD Security Advisory 2000-007 security-officer () NETBSD ORG (Jun 21)
- Re: NAI WebShield SMTP does not scan base64 encoding Elias Levy (Jun 22)
- Security Bulletins Digest patrick () PINE NL (Jun 22)
- Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 22)
- Free mail scanning tool (was Re: NAI WebShield SMTP does not scan base64 encoding) David F. Skoll (Jun 22)