SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   McAfee WebShield Vendors:   Network Associates
Network Associates WebShield SMTP Anti-Virus Gateway Fails to Block BadTrans Virus Due to Errors in Processing the MIME Header
SecurityTracker Alert ID:  1002857
SecurityTracker URL:  http://securitytracker.com/id/1002857
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 29 2001
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): WebShield SMTP for NT 4.5 and 4.5mr1a
Description:   A vulnerability was reported in the Network Associates WebShield SMTP gateway. It fails to properly decode MIME headers and recognize the viral attachment of the BadTrans virus.

It is reported that WebShield will not block the BadTrans *.scr attachment even if WebShield is configured to filter all messages that have a scr (or pif) attachment. This is reportedly due to the inability of WebShield to properly decode MIME headers.

The vendor has reportedly been notified.

Impact:   A remote user could pass a virus through WebShield.
Solution:   No solution was available at the time of this entry. As a workaround, the vendor recommends adding a content filter rule to disallow messages that contain audio/x-wav in the body of the message. This will reportedly block the affected BadTrans messages but will still not detect the virus.
Vendor URL:  www.nai.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]


Reported to NAI first time 26.11.2001, again 27.11.2001 and every day 
after that.
NAI response is at the end of this mail.

NAI WebShield SMTP for NT 4.5mr1a passes (at least in some 
configurations) attachments
through without virus check or content filter check based on attachment 
name. One such attachment is BadTrans virus.

ENVIROMENT
WinNT4srv, sp6a, secrollup + few other hotfix, WebShield for NT 4.5 or 
4.5mr1a
this can be reproduced with fresh installation.

DESCRIPTION
Main problem is that mail (send by virus) containing BadTrans.b virus 
will pass WebShield. Forwarding same mail outside will result positive 
identification of BadTrans virus. If WebShield has content filter saying 
all messages that has scr (or pif) in attachment name has to be blocked,
this rule does not apply either.

It seems that NAI WebShield SMTP for NT can't handle all mime headers 
properly. One example is below. WebShield can't parse this and it does 
not realize that message has attachment. And because it does not realize 
there is attachment it won't check it for viruses or against attachment 
name.

----SNIP----
Received: FROM xxx.xxx.xxx BY xxx.xxx.xxx ; Mon Nov 26 20:36:21 2001 +0200
Received: from xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:35428 "EHLO
xxx.xxx.xxx") by xxx.xxx.xxx with ESMTP id ;
Mon, 26 Nov 2001 16:01:32 +0200
Received: from xxx.xxx (xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx])
by xxx.xxx.xxx (8.11.4/8.11.2) with SMTP id fAQE1Rc16568
for ; Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Date: Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Message-Id: <200111261401.fAQE1Rc16568@xxx.xxx.xxx>
From: "BadMail" 
To: j.doe@example.com
Subject: Re: CV
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


 

-------- Original Message --------
From: - Thu Nov 29 15:09:24 2001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
BCC: "jari.helenius" <jari.helenius@kolumbus.fi>
Message-ID: <3C063383.5090508@mawaron.com>
Date: Thu, 29 Nov 2001 15:09:23 +0200
From: Jari Helenius <jari.helenius@mawaron.com>
Organization: Mawaron Oy
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) 
Gecko/20001108 Netscape6/6.0
X-Accept-Language: en
MIME-Version: 1.0
To: vuldb@securityfocus.com
Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows 
BadTrans to pass
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit





--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="NEWS_DOC.DOC.scr"
Content-Transfer-Encoding: base64
Content-ID: 

*****ATTACHMENT REMOVED******

--====_ABC1234567890DEF_====

----SNIP----


FIXAROUND
Adding rule in content filter that says if you find mail containing 
audio/x-wav
in body of message will stop those messages.
Virus is still not found, but messages will be blocked.

This will block also all other messages with audio/x-wav in text and all 
messages that has mime header that WebShield does not understand.

OTHER INFORMATION
Needless to say, yes we have latest dat, latest engine, compress checks, all
heuristic on and so on...

It is sad to find out that AV vendor does not care problems they have.
In the other hand, what else can be expected from company that have 
following policy.
If we find problems in our products or if we have hotfix,
we will not inform anyone what we have nor put these fixes available 
(not even readme:s).
If a customer can describe problem that we have already fixed, we might 
send fix to them if we are in good mood.
:-)

Yours
Jari Helenius
Mawaron Oy
jari.helenius@mawaron.com

NAI response and snip of my mail that they responded

NAI RESPONSE
---SNIP---
Dear Jari,

Thank you for the sample. We have determined that this is a known virus
which can be detected and removed.

There may be a problem with WebShield catching this virus.

The first thing we would suggest is to upgrade to 4173 DAT which has
improved detection capability.
If this doesn't help, we recommend that you get in touch with Technical
Support as this is a product issue and it does need to be addressed and
investigated.

The address to send this kind of issues to is: tech-support-europe@nai.com
---SNIP---

Part of my mail they responded to
---SNIP---
I know that this virus can be identified and removed with current dat. 
(we are using WebShield SMTP 4.5mr1a with latest dat and engine and all 
heuristic all attachments and compact options). If I forward received 
mail that has this virus it will be found.

Problem is that Webshield does not recognize that mail has attachment. 
It does not check it; it does not catch it in content filter. And if it 
does not recognize that mail has attachment it does not stop this mail. 
We have verified 12 passed viruses (all with similar headers), 5 
deferred mails (when we stopped mail inside of our network and did let 
webshield check incoming mails, sample was one of those mails.
---SNIP---

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC