gfi.com email vulnerability tests

Mariano Absatz mailscanner at LISTS.COM.AR
Fri Oct 24 19:53:19 IST 2003 

Hi,

I'm also on 4.23-11... I just run the tests to see what is actually 
passing thru...

The ones that came thru were:
2 with subject "hide.hta           (lots of space here)          ", 
claiming to have MIME type: gfi/security; and was actually one section 
all base64 encoded.

The actual content was a vbscript starting like this:
===================================
<script language="VBScript">
On Error Resume Next
Function ShowFiles(folderspec)
   Dim fso, f, f1, fc, s
   Set fso = CreateObject("Scripting.FileSystemObject")
   Set f = fso.GetFolder(folderspec)
   Set fc = f.Files
   For Each f1 in fc
      s = s & "  " & f1.name 
      s = s & chr(13) + chr(10) 
   Next
   ShowFiles = s
End Function
===================================

Apparently one is geared towards Outlook 2000 and the other one, for 
Outlook Express 6.


I don't know why, but OE decided to name the unnamed file with the 
subject followed by ".dat", so its "hide.hta    (lots of space)  .dat"

The ohter one seems to have been named "hide.hta    (lots of space)  ..."


The other message that passed thru is a multipart/mixed, its first part 
is a multipart/alternative with ascii and html text explaining what it 
is.

Following that, its the unsecured part that stars like this:
===================================
Content-Type: application/hta;
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;	

<SCRIPT language=3DVBScript>
On Error Resume Next
Function ShowFiles(folderspec)
   Dim fso, f, f1, fc, s
   Set fso =3D CreateObject("Scripting.FileSystemObject")
   Set f =3D fso.GetFolder(folderspec)
   Set fc =3D f.Files
   For Each f1 in fc
      s =3D s & "  " & f1.name=20
      s =3D s & chr(13) + chr(10)=20
   Next
   ShowFiles =3D s
End Function
===================================

OE gladly run all the scripts but the one that ended in .dat

Now the question is... how do we detect this nonsense... should we try to 
parse as scripting whatever comes with strange mime types or without a 
filename?... I dunno.

El 24 Oct 2003 a las 20:07, Raymond Dijkxhoorn escribió:

> Hi!
> 
> > GFI Email Security Testing Zone (http://www.gfi.com/emailsecuritytest/)
> > tests for multiple vulnerabilities.  They have added a couple of new
> > tests and I am curious if the current version of MailScanner stops them
> > all.
> >
> > I am using 4.23-11 and the following test fails:
> >
> >         - Attachment with no filename vulnerability test
> >
> > Another one of their tests that makes it through has the subject of
> > "hide.hta."  I am not sure which of their tests creates this subject,
> > but I believe it is related to the above test.
> 
> Date: Mon, 12 Aug 2002 11:45:56 +0200
> From: GFI E-mail Testing <emailtesting at gfi.com>
> To: "raymond at aaabbbccc.nl" <raymond at aaabbbccc.nl>
> Subject: hide.hta
> 
> > If someone using 4.24-5 could run these tests and report back to the
> > list, it would probably be of benefit.
> 
> Tested.
> 
> I hope Julian can have a look, if this is really a issue...
> 
> Bye,
> Raymond.


--
Mariano Absatz
El Baby
----------------------------------------------------------
Pentiums melt in your PC, not in your hand.

More information about the MailScanner mailing list