发布时间 :2004-10-20 00:00:00
修订时间 :2017-07-10 21:29:56

[原文]Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients.



- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issue
(UNKNOWN)  XF  mime-rfc822-filtering-bypass(17332)

- 漏洞信息

高危 其他
2004-10-20 00:00:00 2006-08-22 00:00:00

- 公告与补丁

        plDaniels have released ripMime to address this issue.
        F-Secure will be releasing Internet Gatekeeper 6.41 to address this issue in Q4/04.
        plDaniels ripMime 1.2 .0
        plDaniels ripMime 1.2.1
        plDaniels ripMime 1.2.2
        plDaniels ripMime 1.2.3
        plDaniels ripMime 1.2.4
        plDaniels ripMime 1.2.5
        plDaniels ripMime 1.2.6
        plDaniels ripMime 1.2.7
        plDaniels ripMime 1.3.2 .3
        plDaniels ripMime 1.3.2 .0
        plDaniels ripMime 1.3.2 .2

- 漏洞信息 (F34359)

Corsaire Security Advisory 2003-08-04.9 (PacketStormID:F34359)
2004-09-15 00:00:00
Martin O'Neal,Corsaire

Corsaire Security Advisory - By using malformed MIME encapsulation techniques centered on the presence of fields containing an RFC822 comment, embedded file attachment blocking functionality can be evaded.

-- Corsaire Security Advisory --

Title: Multiple vendor MIME RFC822 comment issue
Date: 04.08.03
Application: various
Environment: various
Author: Martin O'Neal []
Audience: General distribution
Reference: c030804-009

-- Scope --

The aim of this document is to clearly define a MIME content evasion 
issue that affects a variety of products including; browsers, proxy 
servers, email clients, content security gateways and antivirus 

-- History --

Discovered: 04.08.03 (Martin O'Neal)
NISCC notified: 19.02.04
Document released: 13.09.04

-- Overview --

There are a number of content security gateway and antivirus products 
available that provide policy based security functionality. Part of this 
functionality allows the products to block embedded file attachments 
based on their specific content type, such as executables or those 
containing viruses. However, by using malformed MIME encapsulation 
techniques centred on the presence of fields containing an RFC822 
comment, this functionality can be evaded. 

-- Analysis --

The MIME standards are intended to provide a common mechanism to 
exchange data between systems and are used extensively by protocols such 
as HTTP and SMTP. The structure of a MIME message is defined in RFC2045 
[1], which in turn makes use of concepts introduced in RFC822 [2] 
(superseded by RFC2822 [3]).

The standards define a range of fields that control how data is encoded 
within the transport, and how it should be interpreted by the receiving 
agent. RFC822 [2] states "A comment is a set of ASCII characters, which 
is enclosed in matching parentheses and which is not within a quoted-
string. The comment construct permits message originators to add text 
which will be useful for human readers, but which will be ignored by the 
formal semantics. Comments should be retained while the message is 
subject to interpretation according to this standard.  However, comments 
must NOT be included in other cases, such as during protocol exchanges 
with mail servers". 

The implementation of the commenting standard has not been universal by 
all of the vendors. For many products, such as email clients and 
browsers, this scope for variation might only result in some unreliable 
behaviour. However, for a collection of security products, being unaware 
of the various ways that the standard has been implemented can lead to 
more serious results, as the products may fail to detect a threat within 
the data stream.

When a receiving agent is presented with a MIME message that contains an 
unexpected RFC822 comment, it tends to respond in one of three broad 

- It identifies the MIME message as malformed and blocks it.
- It fails to interpret the MIME field (or message).
- It correctly interprets the MIME field (or message).

The first of the three would be the correct behaviour for a security 
conscious product, but based on empirical research this is not the 
common result for a number of scenarios. 

The RFC822 comment issue has been observed to affect many of the 
security products. To use this issue as an attack vector, all that is 
required is to identify a target that has a client agent that 
successfully interprets the RFC822 comment correctly, where any security 
products that protect it do not.

-- Recommendations --

To be effective tools, the security products must not only be able to 
process encoding techniques implemented as per the relevant standard, 
but also common misinterpretations and deliberate corruptions.

As an ongoing process, a study project should be undertaken by the 
vendors to identify applications that routinely decode MIME objects and 
have a liberal interpretation of the MIME standard. 

NISCC have produced a document consolidating a number of vendor 
statements on these issues [4]. Contact your vendor directly to 
establish whether you are affected by these issues.

-- Background --

This issue was discovered using a custom SMTP/HTTP vulnerability 
analysis tool developed by Corsaire's security assessment team. This 
tool is not available publicly, but is an example of the specialist 
approach used by Corsaire's consultants as part of a commercial security 
assessment. To find out more about the cutting edge services provided by 
Corsaire simply visit our web site at

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-0162 to this issue. This is a candidate for
inclusion in the CVE list (, which standardises
names for security problems.

-- References --


-- Revision --

a. Initial release.
b. Added CVE reference.
c. Released.

-- Distribution --

This security advisory may be freely distributed, provided that it 
remains unaltered and in its original form. 

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with 
no warranties or guarantees of fitness of use or otherwise. Corsaire 
accepts no responsibility for any damage caused by the use or misuse of 
this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and 
analytical rigour to every job, which means fast and dramatic security 
performance improvements. Our services centre on the delivery of 
information security planning, assessment, implementation, management 
and vulnerability research. 

A free guide to selecting a security assessment supplier is available at 

Copyright 2003 Corsaire Limited. All rights reserved. 


- 漏洞信息

Multiple Content Monitor Software RFC822 Comment Field MIME Encapsulation Filter Bypass

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-09-13 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete