CVE-2003-0928
CVSS7.5
发布时间 :2004-09-28 00:00:00
修订时间 :2016-10-17 22:38:18
NMCOPS    

[原文]Clearswift MAILsweeper before 4.3.15 does not properly detect and filter RAR 3.20 encoded files, which allows remote attackers to bypass intended policy.


[CNNVD]SMTP Archive Clearswift MAILsweeper过滤器绕过漏洞(CNNVD-200409-061)

        Clearswift MAILsweeper 4.3.15以前的版本存在错误检测过滤RAR 3.20编码文件漏洞。远程攻击者可以利用该漏洞绕过预定策略。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0928
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0928
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200409-061
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109241692108678&w=2
(UNKNOWN)  BUGTRAQ  20040813 Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues
http://www.corsaire.com/advisories/c030807-001.txt
(UNKNOWN)  MISC  http://www.corsaire.com/advisories/c030807-001.txt

- 漏洞信息

SMTP Archive Clearswift MAILsweeper过滤器绕过漏洞
高危 设计错误
2004-09-28 00:00:00 2005-10-20 00:00:00
远程  
        Clearswift MAILsweeper 4.3.15以前的版本存在错误检测过滤RAR 3.20编码文件漏洞。远程攻击者可以利用该漏洞绕过预定策略。

- 公告与补丁

        MAILsweeper for SMTP 4.3.15 is available to address this issue. Please contact the vendor to obtain the fixed version. This information has not been confirmed by Symantec.

- 漏洞信息 (F34048)

Corsaire Security Advisory 2003-08-07.1 (PacketStormID:F34048)
2004-08-14 00:00:00
Martin O'Neal,Corsaire  corsaire.com
advisory
CVE-2003-0928,CVE-2003-0929,CVE-2003-0930
[点击下载]

Corsaire Security Advisory - Clearswift MAILsweeper versions prior to 4.3.15 do not detect a number of common compression formats, for which it is listed as compatible, and in certain circumstances also fails to identify the name of file attachments when they are encoded.

-- Corsaire Security Advisory --

Title: Clearswift MAILsweeper multiple encoding/compression issues
Date: 07.08.03
Application: Clearswift MAILsweeper prior to 4.3.15
Environment: Windows 2000 
Author: Martin O'Neal [martin.oneal@corsaire.com]
Audience: General distribution 
Reference: c030807-001


-- Scope --

The aim of this document is to clearly define a MIME attachment evasion 
issue in the MAILsweeper product, as supplied by Clearswift Ltd. [1] 


-- History --

Discovered: 07.08.03 
Vendor notified verbally: 26.08.03 
Vendor notified in writing: 05.11.03 
Vendor patch released: 05.08.04 
Document released: 13.08.04

As per the normal process for dealing with Clearswift, after months of 
requesting a status update on these issues (without any response), the 
patches for these vulnerabilities have been released without any 
discussion or coordination with ourselves, and as is becoming the norm, 
completely unattributed. 


-- Overview --

The MAILsweeper product provides policy based, email content security 
functionality. Part of this functionality allows the product to block 
attachments based on the type of content (i.e. executable) or name of 
the attachment.

Encoding and compression technology is now commonly used to make the 
transfer of data by email more efficient. Due to this, it is essential 
that a product such as MAILsweeper can detect and analyse the content 
contained within, or at least "fail closed" if a positive identification 
cannot be made.

However, MAILsweeper does not detect a number of common compression 
formats (for which it is listed as compatible) and in certain 
circumstances also fails to identify the name of file attachments when 
they are encoded.


-- Analysis --

The MAILsweeper attachment detection functionality works by recursively 
analysing the email message body for container constructs (such as MIME 
and compressed archives etc.), decoding these and then comparing the 
contents against a predefined policy.

The current product spec sheet [2] lists that the product is compatible 
with "ARJ (including self-extracting ARJ), GZip, RAR, TAR, PGP, LZH, 
LHA, CMP, ZIP (multiple variants), BinHex and CAB, MIME, UUE, TNEF, and 
binary". This is a subset of the available compression formats, but does 
cover the majority of those in common use.

For analysis purposes, a collection of the freely available compression 
tools was assembled. A sample executable file was then added to each 
container type and then these were passed through a MAILsweeper host 
configured with the latest available patches (CS MAILsweeper 4.3 for 
SMTP Hotfix 4.3.10 and Technology Update 1.4.10).

The results were as per the following table. Where version information 
for the archive tool was available, it is listed:


Encoding           Listed    Detected Content   Detected filenames

7ZIP (2.30) ........ No ........... No ................ No 
ACE (2.2) .......... No ........... No ................ No 
ARC (6.0) .......... No ........... No ................ No 
ARJ (2.81) ......... Yes .......... Yes ............... Yes 
BH ................. No ........... No ................ No 
BASE64 ............. No ........... Yes ............... n/a 
Binary ............. Yes .......... Yes ............... n/a 
BINHEX ............. Yes .......... Yes ............... No 
BZIP2 (1.0.2) ...... No ........... No ................ No 
CAB ................ Yes .......... Yes ............... Yes
CMP ................ Yes .......... Not tested ........ Not tested 
COMPRESS (4.2.4) ... No ........... Yes ............... Yes 
GZIP (1.2.4) ....... Yes .......... Yes ............... Yes 
HAP (3.05) ......... No ........... No ................ No 
HPK (.78a0) ........ No ........... No ................ No 
IMG ................ No ........... No ................ No 
JAR ................ No ........... Yes ............... Yes 
LHA (2.55e) ........ Yes .......... Yes ............... Yes 
LZH (1.13c) ........ Yes .......... Yes ............... Yes 
MIME ............... Yes .......... Yes ............... Yes 
PAK (2.51) ......... No ........... No ................ No 
PGP ................ Yes .......... Yes ............... Yes 
RAR (2.90) ......... Yes .......... Yes ............... Yes 
RAR (3.20) ......... Yes .......... No ................ No 
RAWRITE (0.7) ...... No ........... No ................ No 
DOS TAR (1.12) ..... Yes .......... As Undetermined ... As Undetermined
UNIX TAR (1.13) .... Yes .......... As Undetermined ... As Undetermined
TNEF ............... Yes .......... Yes ............... Yes 
UUE ................ Yes .......... Yes ............... n/a 
ZIP (2.04g) ........ Yes .......... Yes ............... Yes 
ZIP (6.0d) ......... Yes .......... As Undetermined ... As Undetermined
ZOO (2.1) .......... No ........... No ................ No 


Note: The CMP compression format was not analysed as the tool appears to 
be available on the Mac only and a suitable platform was not on hand 
during testing.

In summary: 

- There are a significant number of common formats that are not detected
  by MAILsweeper (most notably the newer formats like 7ZIP and ACE). 
- The TAR format that is listed as compatible doesn't seem to be 
  supported, producing a "corrupt" error for all versions tested.
- Several formats that are listed as compatible are actually version 
  dependent (RAR and ZIP).
- The BinHex (HQX) format is detected but it does not expose the 
  filenames contained within to scrutiny.

The MAILsweeper product works from a starting position of allowing all 
content to pass, then specifically blocking undesirable attachments. By 
virtue of the encoding formats not being detected, the container and the 
contents are passed through the system without being analysed.


-- Recommendations --

Clearswift have released the 4.3.15 hotfix that corrects these issues. 
This should be applied to all existing installations where appropriate.


-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
Multiple numbers to this issue: 

CAN-2003-0928 Clearswift MAILsweeper RAR 3.20 container detection issue
CAN-2003-0929 Clearswift MAILsweeper ZIP 6.0 container detection issue
CAN-2003-0930 Clearswift MAILsweeper HQX container filename detection issue

These are candidates for inclusion in the CVE list, which standardises 
names for security problems (http://cve.mitre.org). 


-- References --

[1] http://www.clearswift.com
[2] http://www.clearswift.com/products/msw/smtp/techspec.asp


-- Revision --

a. Initial release.
b. Added CVE reference.
c. Revised to include vendor patch.


-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 


-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.


-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 
http://www.penetration-testing.com 


Copyright 2003 Corsaire Limited. All rights reserved. 

    

- 漏洞信息

8844
MAILsweeper for SMTP Attachment Blocking Bypass
Remote / Network Access Misconfiguration
Impact Unknown
Exploit Public

- 漏洞描述

Clearswift MAILsweeper contains a flaw that may allow a malicious user to bypass SMTP attachment blocking. The issue is triggered when MAILsweeper does not properly filter and/or block certain types of compression formats. It is possible that the flaw may allow an attacker to bypass remote SMTP attachment blocking.

- 时间线

2004-08-13 2003-08-07
2004-08-13 Unknow

- 解决方案

Upgrade to version 4.3_15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Clearswift MAILsweeper for SMTP Archive File Filtering Bypass Vulnerability
Design Error 10940
Yes No
2004-08-13 12:00:00 2009-07-12 06:16:00
Discovery is credited to Corsaire.

- 受影响的程序版本

Clearswift MailSweeper 4.3.14
Clearswift MailSweeper 4.3.13
Clearswift MailSweeper 4.3.11
Clearswift MailSweeper 4.3.10
Clearswift MailSweeper 4.3.8
Clearswift MailSweeper 4.3.7
Clearswift MailSweeper 4.3.6 SP1
Clearswift MailSweeper 4.3.6
Clearswift MailSweeper 4.3.5
Clearswift MailSweeper 4.3.4
Clearswift MailSweeper 4.3.3
Clearswift MailSweeper 4.3
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Server SP2
Clearswift MailSweeper 4.2
Clearswift MailSweeper 4.1
Clearswift MailSweeper 4.0
Clearswift MailSweeper 4.3.15

- 不受影响的程序版本

Clearswift MailSweeper 4.3.15

- 漏洞讨论

It is reported that MAILsweeper for SMTP does not filter malicious archives of various formats. The application does not detect malicious content or file names of archives contained in email. Some of the formats not detected by the application include 7ZIP, ACE, ARC, BH, BZIP2, HAP, HPK, IMG, PAK, RAR, and ZOO.

Successful exploitation may allow malicious code to be executed on client systems. Exploitation can only occur if a user executes a malicious attachment and malicious files must also bypass any local anti virus software.

MAILsweeper for SMTP versions prior to 4.3.15 are reported affected by this issue. This issue may be related to BID 8982 (Clearswift MAILsweeper for SMTP Zip Archive Filtering Bypass Vulnerability).

- 漏洞利用

No exploit is required.

- 解决方案

MAILsweeper for SMTP 4.3.15 is available to address this issue. Please contact the vendor to obtain the fixed version. This information has not been confirmed by Symantec.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站