Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   McAfee WebShield Vendors:   Network Associates
Network Associates WebShield SMTP Virus Scanner Can Be Bypassed With Fragmented 'Partial' E-mail Messages
SecurityTracker Alert ID:  1005220
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 13 2002
Impact:   Host/resource access via network
Exploit Included:  Yes  
Version(s): WebShield SMTP
Description:   A vulnerability was reported in Network Associates WebShield SMTP anti-virus scanning product. A remote user can send malicious e-mail that will bypass the content filtering scanner by fragmenting the message into two or more parts using the MIME 'partial' feature. Other virus scanners may also be affected.

Beyond Security's SecurITeam reported that various SMTP-based content filter engines can be bypassed using the RFC 2046 "Message Fragmentation and Reassembly" feature. A remote user can split a malicious payload into two separate partial MIME sections, with each section sent via a separate e-mail message. RFC compliant mail servers will recombine the fragments. However, the vulnerable content filtering engine will fail to recombine the fragments and, therefore, will not detect the malicious payload.

Impact:   A remote user can send mail that will bypass the content filtering engine.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  Re: Bypassing SMTP Content Protection with a Flick of a Button

Regarding NAI Webshield;

Webshield Solaris, e250 and e500 all reassemble the messages and correctly
scan them.

Webshield SMTP (ie for NT/2000) does not follow the RFC, and the messages
are blindly passed on, bypassing content filters, virus checking etc.

-----Original Message-----
From: Aviram Jenik []
Sent: 12 September 2002 14:45
Subject: Bypassing SMTP Content Protection with a Flick of a Button

  Bypassing SMTP Content Protection with a Flick of a Button

Article reference:



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC