<<< Date Index >>>     <<< Thread Index >>>

Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues



-- Corsaire Security Advisory --

Title: Clearswift MAILsweeper multiple encoding/compression issues
Date: 07.08.03
Application: Clearswift MAILsweeper prior to 4.3.15
Environment: Windows 2000 
Author: Martin O'Neal [martin.oneal@xxxxxxxxxxxx]
Audience: General distribution 
Reference: c030807-001


-- Scope --

The aim of this document is to clearly define a MIME attachment evasion 
issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] 


-- History --

Discovered: 07.08.03 
Vendor notified verbally: 26.08.03 
Vendor notified in writing: 05.11.03 
Vendor patch released: 05.08.04 
Document released: 13.08.04

As per the normal process for dealing with Clearswift, after months of 
requesting a status update on these issues (without any response), the 
patches for these vulnerabilities have been released without any 
discussion or coordination with ourselves, and as is becoming the norm, 
completely unattributed. 


-- Overview --

The MAILsweeper product provides policy based, email content security 
functionality. Part of this functionality allows the product to block 
attachments based on the type of content (i.e. executable) or name of 
the attachment.

Encoding and compression technology is now commonly used to make the 
transfer of data by email more efficient. Due to this, it is essential 
that a product such as MAILsweeper can detect and analyse the content 
contained within, or at least "fail closed" if a positive identification 
cannot be made.

However, MAILsweeper does not detect a number of common compression 
formats (for which it is listed as compatible) and in certain 
circumstances also fails to identify the name of file attachments when 
they are encoded.


-- Analysis --

The MAILsweeper attachment detection functionality works by recursively 
analysing the email message body for container constructs (such as MIME 
and compressed archives etc.), decoding these and then comparing the 
contents against a predefined policy.

The current product spec sheet [2] lists that the product is compatible 
with "ARJ (including self-extracting ARJ), GZip, RAR, TAR, PGP, LZH, 
LHA, CMP, ZIP (multiple variants), BinHex and CAB, MIME, UUE, TNEF, and 
binary". This is a subset of the available compression formats, but does 
cover the majority of those in common use.

For analysis purposes, a collection of the freely available compression 
tools was assembled. A sample executable file was then added to each 
container type and then these were passed through a MAILsweeper host 
configured with the latest available patches (CS MAILsweeper 4.3 for 
SMTP Hotfix 4.3.10 and Technology Update 1.4.10).

The results were as per the following table. Where version information 
for the archive tool was available, it is listed:


Encoding           Listed    Detected Content   Detected filenames

7ZIP (2.30) ........ No ........... No ................ No 
ACE (2.2) .......... No ........... No ................ No 
ARC (6.0) .......... No ........... No ................ No 
ARJ (2.81) ......... Yes .......... Yes ............... Yes 
BH ................. No ........... No ................ No 
BASE64 ............. No ........... Yes ............... n/a 
Binary ............. Yes .......... Yes ............... n/a 
BINHEX ............. Yes .......... Yes ............... No 
BZIP2 (1.0.2) ...... No ........... No ................ No 
CAB ................ Yes .......... Yes ............... Yes
CMP ................ Yes .......... Not tested ........ Not tested 
COMPRESS (4.2.4) ... No ........... Yes ............... Yes 
GZIP (1.2.4) ....... Yes .......... Yes ............... Yes 
HAP (3.05) ......... No ........... No ................ No 
HPK (.78a0) ........ No ........... No ................ No 
IMG ................ No ........... No ................ No 
JAR ................ No ........... Yes ............... Yes 
LHA (2.55e) ........ Yes .......... Yes ............... Yes 
LZH (1.13c) ........ Yes .......... Yes ............... Yes 
MIME ............... Yes .......... Yes ............... Yes 
PAK (2.51) ......... No ........... No ................ No 
PGP ................ Yes .......... Yes ............... Yes 
RAR (2.90) ......... Yes .......... Yes ............... Yes 
RAR (3.20) ......... Yes .......... No ................ No 
RAWRITE (0.7) ...... No ........... No ................ No 
DOS TAR (1.12) ..... Yes .......... As Undetermined ... As Undetermined
UNIX TAR (1.13) .... Yes .......... As Undetermined ... As Undetermined
TNEF ............... Yes .......... Yes ............... Yes 
UUE ................ Yes .......... Yes ............... n/a 
ZIP (2.04g) ........ Yes .......... Yes ............... Yes 
ZIP (6.0d) ......... Yes .......... As Undetermined ... As Undetermined
ZOO (2.1) .......... No ........... No ................ No 


Note: The CMP compression format was not analysed as the tool appears to 
be available on the Mac only and a suitable platform was not on hand 
during testing.

In summary: 

- There are a significant number of common formats that are not detected
  by MAILsweeper (most notably the newer formats like 7ZIP and ACE). 
- The TAR format that is listed as compatible doesn't seem to be 
  supported, producing a "corrupt" error for all versions tested.
- Several formats that are listed as compatible are actually version 
  dependent (RAR and ZIP).
- The BinHex (HQX) format is detected but it does not expose the 
  filenames contained within to scrutiny.

The MAILsweeper product works from a starting position of allowing all 
content to pass, then specifically blocking undesirable attachments. By 
virtue of the encoding formats not being detected, the container and the 
contents are passed through the system without being analysed.


-- Recommendations --

Clearswift have released the 4.3.15 hotfix that corrects these issues. 
This should be applied to all existing installations where appropriate.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue: 

CAN-2003-0928 Clearswift MAILsweeper RAR 3.20 container detection issue
CAN-2003-0929 Clearswift MAILsweeper ZIP 6.0 container detection issue
CAN-2003-0930 Clearswift MAILsweeper HQX container filename detection issue

These are candidates for inclusion in the CVE list, which standardises 
names for security problems (http://cve.mitre.org). 


-- References --

[1] http://www.clearswift.com
[2] http://www.clearswift.com/products/msw/smtp/techspec.asp


-- Revision --

a. Initial release.
b. Added CVE reference.
c. Revised to include vendor patch.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2003 Corsaire Limited. All rights reserved.