SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   McAfee WebShield Vendors:   Network Associates
WebShield SMTP for Windows NT Lets Remote Users Send Executables Through the Filter
SecurityTracker Alert ID:  1007189
SecurityTracker URL:  http://securitytracker.com/id/1007189
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 14 2003
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   Paul Kurczaba reported a vulnerability in WebShield SMTP for Windows NT. A remote user can send an executable attachment through the filter even when the system is configured to block such attachments.

It is reported that a remote user can send an e-mail message containing an executable attachment through the content filter (even when it is set to block executables) by also attaching a virus-infected file. The system will reportedly delete and quarantine the infected attachment and provide the recipient with a warning message. However, the system will also deliver the virus-free executable as an attchment to the e-mail message. If the executable contains a virus, the executable will be blocked, the report indicated.

The vendor has reportedly been notified without response.

Impact:   A remote user can send an e-mail message containing a (virus-free) executable attachment through the content filter to a receipient.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.nai.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (NT)

Message History:   None.


 Source Message Contents

Subject:  NAI WebShield SMTP for Windows NT Content Filter can be bypassed




Summary

---------------------------------

It is possible to bypass the content filter in WebShield SMTP for
Windows NT.



Affected Systems/Configuration

---------------------------------
The version of WebShield in which I performed the test on, is WebShield
4.5 MR1a. WebShield is configured to scan messages for viruses (all
extensions), even files in .zip files. The content filter is set to
block messages that have .exe attachments.



Vulnerability/Exploit

---------------------------------

The test message I sent to the WebShield server contained two
attachments: The first was Project1.exe, a harmless application that I
wrote in Visual Basic. The second was testfile.zip. In testfile.zip
there was a file, eicar.txt, which contained the 'EICAR Test File Virus'.



When the message is processed by WebShield, it will detect the virus in
testfile.zip, then deleted and quarantine the file. Then, even though
Project1.exe contains the extension .exe, the message fails to be
blocked by WebShield. The recipient will receive the
following attachments: Project1.exe, and WARNING0.txt (Message from
WebShield).



The second test that I did contained two files, Project1.exe, and
file.txt (blank text file). WebShield spotted Project1.exe and blocked
the message as expected.



It seems to be, that if an attachment contains a virus, WebShield will
not process the remaining attachments through the Content Filter.



Workaround

---------------------------------

I have not found a workaround for this vulnerability.



Vendor Status

---------------------------------

I notified Network Associates, but have not yet received a response.



Credit

---------------------------------

Paul Kurczaba

pkurczaba@att.net

http://www.myipis.com



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC