<<< Date Index >>>     <<< Thread Index >>>

IRM 019: MailMarshal 6.1 SMTP MTA Content Filter Bypass



MailMarshal 6.1 SMTP MTA Content Filter Bypass

Vulnerability Type / Importance: Active Content Filter Bypass / High

Problem Discovered: 24 February 2006
Vendor Contacted: 24 February 2006
Advisory Published: 5 June 2006
-------------------------------------------------

Abstract:

Marshal MailMarshal SMTP Server is a popular corporate SMTP e-mail and spam
filter application available on the Microsoft Windows Server platform.

Description:

An active content filter bypass condition exists in Mail Marshal's handling
of ACE archives.

Technical Details:

MailMarshal 6.1 SMTP Server does not unpack and analyse the content of ACE
archives, making it possible to circumvent any active content filter by
default. For example, by compressing an executable file within an ACE
archive it is possible bypass the executable blocking content filters. In
short, any file that is blocked by a content filter can still be
successfully sent to a recipient (internal or external) from any source,
simply by compressing the file within an ACE archive.

Vendor & Patch Information:

Marshal has stated that this is not a vulnerability within the product and
as such, no patches are available. However, Marshal has issued the following
workaround for the issue:

"Obtaining the external ACE unpacking utility:

1.)download the following from WinACE: http://www.winace.com/files/ace26.exe
2.)double click ace26.exe, and enter "Y" in the command prompt that opens to
extract its contents 3.)locate "unace32.exe" in the extracted files.
4.)place "unace32.exe" in the MailMarshal installation directory on EACH
NODE in the array if they have multiples
(default: C:\Program Files\NetIQ\MailMarshal\)

Enabling the Unpacker to extract ACE contents:

1.)open regedit on the Array Manager system, and navigate to
HKEY_LOCAL_MACHINE\Software\NetIQ\MailMarshal\
2.)make note of whether the "Default" key is solely named "Default" or if it
is named "Default(1)"
3.)download the attached registry file to the system where the Array Manager
resides 4.)if the key noted in step 2 is "Default(1)", make this change
accordingly within the attached registry file 5.)rename the attached file
from "ACEunpack.rename" to "ACEUnpack.reg"
6.)double click the newly created REG file to apply the changes to the
registry 7.)commit configuration changes, and restart the MMController
service on each node of the array (thus restarting all dependent services as
well, most importantly the MMEngine)"

http://www.marshal.com

Workaround:

Deploy Marshal's workaround described above or explicitly block the ACE file
extension.

Tested Versions:

MailMarshal STMP Server 6.1 on Windows 2003 Server

Credits: 

Research & Advisory: O Aziz

Disclaimer: 

All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. Information Risk 
Management Plc is not responsible for any risks or occurrences caused by the
application of this information.

About IRM:

IRM is a product independent information security consultancy based in the
UK, Hong Kong, Spain and Dubai.

http://www.irmplc.com