Bugtraq mailing list archives

Re: NAI WebShield SMTP does not scan base64 encoding

From: andre.albsmeier () MCHP SIEMENS DE (Andre Albsmeier)
Date: Wed, 21 Jun 2000 14:36:34 +0200


On Tue, 20-Jun-2000 at 17:10:42 -0400, Sato, Ken wrote:

Chris, Destry,

Yes, I've had the same problem too.  Because MS is too selfish to release
the precise specs on the MS-TNEF encoding scheme, NAI is unable to write a
reliable API to decode MS-TNEF.


Hmm, there is a tool on the internet called fentum that decodes
MS-TNEF stuff under Unix. The author said, he wrote it based on
some docs from M$.

But, interestingly, the fentum.com domain doesn't exist anymore.
Maybe the M$ people jumped in there and said "Stop that". Wouldn't
surprise me :-(

        -Andre


The work around for this is to install Groupshield for exchange.
Groupshield is installed at the mail servers, so the MS-TNEF is stripped by
the MS-Exchange before Groupshield scans the files.

Rgds,

 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Ken, Information Security

-----Original Message-----
From: Fronck, Destry [mailto:DFronck () FDIC GOV]
Sent: Tuesday, June 20, 2000 2:38 PM
To: BUGTRAQ () securityfocus com
Subject: Re: NAI WebShield SMTP does not scan base64 encoding

Chris,
This problem is not caused by base64 encoding. It is caused by
the message
being encoded in MS-TNEF (Microsoft Transport Neutral
Encapsulation Format.)
and then getting base64 encoded.

~snip snip

-----Original Message-----
From:        chris.paget () ANALYSYS COM [mailto:chris.paget () ANALYSYS COM]
Sent:        Tuesday, June 20, 2000 9:08 AM
To:  BUGTRAQ () SECURITYFOCUS COM
Subject:     NAI WebShield SMTP does not scan base64 encoding

While investigating todays virus outbreak (Stages.Worm), I noticed
that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
DAT 4.0.4082, 14/06/00) was not picking up all attachments.
The server is configured to block all SHS, VBS, etc attachments, and
notify the sender.  However, when these are sent as Base64 encoding
(rather than 8-bit), they are passed by the server, and could
potentially infect the network.  8-bit attachments are successfully
scanned (and blocked if necessary).

Chirs

Current thread:

[SECURITY] New Debian wu-ftpd packages released, (continued)
- - - [SECURITY] New Debian wu-ftpd packages released Daniel Jacobowitz (Jun 23)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Joey Maier (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Jim Knoble (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Andrea Costantino (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Kenn Humborg (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Philip Rowlands (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Helmethead (Jun 29)
    - Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Hugo.van.der.Kooij () CAIW NL (Jun 29)
    - CONECTIVA LINUX SECURITY ANNOUNCEMENT - WU-FTPD Security (Jun 23)
    - Security Update: wu-ftpd vulnerability Technical Support (Jun 23)
  - Re: NAI WebShield SMTP does not scan base64 encoding Andre Albsmeier (Jun 21)
    - Bruce 1.0 EA3: Networked Host-Vulnerability Scanner for Solaris & Linux Keith A. Watson (Jun 21)
    - NetBSD Security Advisory 2000-007 security-officer () NETBSD ORG (Jun 21)
    - Re: NAI WebShield SMTP does not scan base64 encoding Elias Levy (Jun 22)
    - Security Bulletins Digest patrick () PINE NL (Jun 22)
    - Re: NAI WebShield SMTP does not scan base64 encoding chris.paget () ANALYSYS COM (Jun 22)
    - Free mail scanning tool (was Re: NAI WebShield SMTP does not scan base64 encoding) David F. Skoll (Jun 22)
  - NetWin dMailWeb Denial of Service Chris Wolfe (Jun 21)
  - [RHSA-2000:037-01] New Linux kernel fixes security bug bugzilla () REDHAT COM (Jun 21)