NAI Webshield SMTP for WinNT MIME header vuln that allows BadTrans to pass]

[Jari Helenius <jari.helenius () mawaron com>]

Reported to NAI first time 26.11.2001, again 27.11.2001 and every day 
after that.
NAI response is at the end of this mail.

NAI WebShield SMTP for NT 4.5mr1a passes (at least in some 
configurations) attachments
through without virus check or content filter check based on attachment 
name. One such attachment is BadTrans virus.

ENVIROMENT
WinNT4srv, sp6a, secrollup + few other hotfix, WebShield for NT 4.5 or 
4.5mr1a
this can be reproduced with fresh installation.

DESCRIPTION
Main problem is that mail (send by virus) containing BadTrans.b virus 
will pass WebShield. Forwarding same mail outside will result positive 
identification of BadTrans virus. If WebShield has content filter saying 
all messages that has scr (or pif) in attachment name has to be blocked,
this rule does not apply either.

It seems that NAI WebShield SMTP for NT can't handle all mime headers 
properly. One example is below. WebShield can't parse this and it does 
not realize that message has attachment. And because it does not realize 
there is attachment it won't check it for viruses or against attachment 
name.

----SNIP----
Received: FROM xxx.xxx.xxx BY xxx.xxx.xxx ; Mon Nov 26 20:36:21 2001 +0200
Received: from xxx.xxx.xxx ([xxx.xxx.xxx.xxx]:35428 "EHLO
xxx.xxx.xxx") by xxx.xxx.xxx with ESMTP id ;
Mon, 26 Nov 2001 16:01:32 +0200
Received: from xxx.xxx (xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx])
by xxx.xxx.xxx (8.11.4/8.11.2) with SMTP id fAQE1Rc16568
for ; Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Date: Mon, 26 Nov 2001 16:01:27 +0200 (EET)
Message-Id: <200111261401.fAQE1Rc16568 () xxx xxx xxx>
From: "BadMail" 
To: j.doe () example com
Subject: Re: CV
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1

--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="

--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable




-------- Original Message --------
From: - Thu Nov 29 15:09:24 2001
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
BCC: "jari.helenius" <jari.helenius () kolumbus fi>
Message-ID: <3C063383.5090508 () mawaron com>
Date: Thu, 29 Nov 2001 15:09:23 +0200
From: Jari Helenius <jari.helenius () mawaron com>
Organization: Mawaron Oy
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) 
Gecko/20001108 Netscape6/6.0
X-Accept-Language: en
MIME-Version: 1.0
To: vuldb () securityfocus com
Subject: NAI Webshield SMTP for WinNT MIME header vuln that allows 
BadTrans to pass
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit





--====_ABC0987654321DEF_====--

--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="NEWS_DOC.DOC.scr"
Content-Transfer-Encoding: base64
Content-ID: 

*****ATTACHMENT REMOVED******

--====_ABC1234567890DEF_====

----SNIP----


FIXAROUND
Adding rule in content filter that says if you find mail containing 
audio/x-wav
in body of message will stop those messages.
Virus is still not found, but messages will be blocked.

This will block also all other messages with audio/x-wav in text and all 
messages that has mime header that WebShield does not understand.

OTHER INFORMATION
Needless to say, yes we have latest dat, latest engine, compress checks, all
heuristic on and so on...

It is sad to find out that AV vendor does not care problems they have.
In the other hand, what else can be expected from company that have 
following policy.
If we find problems in our products or if we have hotfix,
we will not inform anyone what we have nor put these fixes available 
(not even readme:s).
If a customer can describe problem that we have already fixed, we might 
send fix to them if we are in good mood.
:-)

Yours
Jari Helenius
Mawaron Oy
jari.helenius () mawaron com

NAI response and snip of my mail that they responded

NAI RESPONSE
---SNIP---
Dear Jari,

Thank you for the sample. We have determined that this is a known virus
which can be detected and removed.

There may be a problem with WebShield catching this virus.

The first thing we would suggest is to upgrade to 4173 DAT which has
improved detection capability.
If this doesn't help, we recommend that you get in touch with Technical
Support as this is a product issue and it does need to be addressed and
investigated.

The address to send this kind of issues to is: tech-support-europe () nai com
---SNIP---

Part of my mail they responded to
---SNIP---
I know that this virus can be identified and removed with current dat. 
(we are using WebShield SMTP 4.5mr1a with latest dat and engine and all 
heuristic all attachments and compact options). If I forward received 
mail that has this virus it will be found.

Problem is that Webshield does not recognize that mail has attachment. 
It does not check it; it does not catch it in content filter. And if it 
does not recognize that mail has attachment it does not stop this mail. 
We have verified 12 passed viruses (all with similar headers), 5 
deferred mails (when we stopped mail inside of our network and did let 
webshield check incoming mails, sample was one of those mails.
---SNIP---