OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: FW: DOS for Content Technologies' MAILsweeper for SMTP.
From: Jon Williams (jon.williamsMIMESWEEPER.COM)
Date: Fri Sep 29 2000 - 02:27:43 CDT


Firstly, thank you for bringing this to our attention as it allows us to
demonstrate how our products are evolving to take account of new threats and
to advise our users to upgrade to MAILsweeper for SMTP version 4.1_7 or
later.

For those who don't know our Content Security solution for SMTP e-mail,
MAILsweeper decomposes all messages, attachments and embedded objects into
their constituent parts. This means we expand archives and documents and any
files contained therein.

Our testing has shown that MAILsweeper for SMTP 4.1_6 / 4.1_7 / 4.1_9
processes this message without difficulty and quarantines it because one of
the message components is corrupt. We first became aware of this threat in
January 2000 and immediately issued patch 4.1_5.

Version 3.x MAILsweeper may be susceptible to this form of corruption and
would indeed be subject to a denial of service - we therefore recommend that
version 3.x users concerned about this type of attack upgrade to version
4.1_7 or later.

The message in question is a valid electronic mail and contains a number of
zipped CDA documents - MS Word, MS Excel, MS PowerPoint and MS Visio. The
MS Word document SOUTHERNCROSSPRF2.DOC is identified by the 4.1_6 or later
system as invalid. This is why the message takes so long to process. If the
attempt to process a CDA document does not succeed within 5 minutes
MAILsweeper terminates processing the sub-component and flags the message as
corrupt. MAILsweeper's default behaviour for messages with invalid formats
is to quarantine the message as "Undetermined" because MAILsweeper cannot
verify conclusively that the message does not constitute a threat.

The file fails to be opened by the MS CDA decomposition libraries (even Word
Viewer or Microsoft Word will stop responding if this file is opened).
MAILsweeper has a safeguard to circumvent this weakness and has a 5-minute
time out. Our reasoning is that there are some extremely complex and large
CDA files in common use that can in some cases take minutes to open.

In summary we recommend that any users of MAILsweeper for SMTP Version 3 or
4 upgrade to version 4.1_7 or later.

Jonathan Williams
Product Manager
Content Technologies

- -----Original Message-----
From: Raj Wurttemberg <rajSTARBASE-01.COM>
Sent: Tue, 26 Sep 2000 08:34:26 -0400
To: Windows NTBugtraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Subject: FW: DOS for Content Technologies' MAILsweeper for SMTP.

Hello,

I have discovered a DOS for Content Technologies' MAILsweeper for SMTP
product.

This was completely accidental. I noticed that no mail was leaving the
MAILsweeper SMTP gateway so I checked the queues... I had over 10,000
e-mails queued up! So I tried to stop the MIMEsweeper service, it wouldn't
stop. I set the MAILsweeper service startup to manual and rebooted the
machine. When the computer came back up I copied off the offending message
pair and started it back up again. About 10 minutes later I saw that both
CPU's were maxed out and no more mail was flowing. I did the same process as
above but I noticed that the file was the same length. I compared the two
and discovered that although they were slightly different e-mails they had
the same attachments.

At this point I called Content technologies and sent them a compressed
version of the DOS message via my trusty Linux box. As soon as it hit
*their* MAILsweeper 4.1.x server it promptly hung one of the message
processing threads.

The tech support guys at Content Technologies were eventually able to
retrieve the message and attachments from their hung server. They said that
a corrupt MS-Word document was the cause. My next question was "What's the
fix?" They said it wasn't their problem it was a problem with the Microsoft
API used to read a MS-Word document. Furthermore they proceeded to tell me
that their new version 4.1.x was not susceptible to this problem because it
would only hang one of the six message processing threads. I then asked what
would happen if I sent six corrupt messages... There was silence on the
phone. Apparently they had not thought of this. The technicians then
suggested I use a program on their web side called "MailSaver" which would
delete the message automatically when the MAILsweeper service stopped.
Unfortunately that doesn't work because the service never stops, it just
hangs.

The Zip file containing the message pair to hang MAILsweeper is available
at:

http://www.starbase-01.com/misc/lockmsw.zip

Some other relevant URL's:

http://www.contenttechnologies.com/
http://www.mimesweeper.com/
http://www.contenttechnologies.com/download/bin/utils/mailsaver.zip

I have so far been unable to get Content Technologies to accept this as a
problem and they have issued NO fix. I am currently running the 3.X version
which only has one message processing thread. At this point ANY Content
Technologies MAILsweeper for SMTP could be taken out of service with the
"lockmsw.zip" file above.

Sincerely,
Raj Wurttemberg
rajstarbase-01.com

**********************************************************************
This email and any files transmitted are confidential and intended
solely for the use of the individual or entity to which they are
addressed. If you have received this email in error, please notify
Content Technologies: Tel: +44 (0) 118 930 1300

This message has been scanned for email content security threats
by MAILsweeper, one of Content Technologies MIMEsweeper
family of products. Be sure your organization is free from email and
web content security threats. For information on policy-based
content security go to http://www.mimesweeper.com

Tel: +44 (0) 118 930 1300 Fax: +44 (0) 118 930 1301
Email: infomimesweeper.com Support: msw.supportmimesweeper.com
Web: http://www.mimesweeper.com Web: http://www.contentsecurity.com

MIMEsweeper: Policy-based Content Security
**********************************************************************

MIMEsweeper, MAILsweeper and WEBsweeper are trademarks of Content Technologies. All other trademarks are the property of their respective corporations.