[Esd-l] Interesting note from Bugtraq
Brett Glass
brett at lariat.org
Tue Feb 19 14:03:01 PST 2002
Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
:
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq at securityfocus.com>
List-Help: <mailto:bugtraq-help at securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
Delivered-To: mailing list bugtraq at securityfocus.com
Delivered-To: moderator for bugtraq at securityfocus.com
:::
From: "Aidan O'Kelly" <aidanokelly at oceanfree.net>
To: "BUGTRAQ" <BUGTRAQ at securityfocus.com>
Subject: RE: SECURITY.NNOV: Bypassing content filtering software
Date: Mon, 18 Feb 2002 17:31:25 -0000
:
:
:
:
:
:
X-Mailer: Microsoft Outlook, Build 10.0.2616
Importance: Normal
:
:
:
I was messing around with this kind of stuff a while back, theres a lot
of ways you can get past mail filtering systems, because most of them
wont emulate the exact behaviour of the e-mail clients, especaily if you
have multiple clients. Anyway, one of the most effective methods against
Outlook/Outlook express is to just name the file
eviltrojan."e"x"e
Outlook/OE will just take the quotes out of the filename before its run.
I tested this on a couple mail filtering systems, and it will let the
file through.
I wrote a perl file to automagicly do it
http://packetstormsecurity.org/0107-exploits/attqt.pl
Of course most filtering systems will scan the file and recognize it as
a executable(PE) and disallow it(same goes for vbs/js files etc, they
usually look for very common VB or JS code) but Im sure they don't
recognize all executable content. (like .bat files?) (or encoded data as
mentioned in the advisrory)
One other thing, outlook/oe will sometimes give an attachment that has
no name a name, depending on the content-type, mostly all non-dangerous
types, ie if you have a wav attachment, but it has no filename (in the
MIME headers) but it has a content-type: audio/x-wav it will name it
ATT00xxx.wav
This will work with .hta files if you don't name them and give them
content-type=application/hta
More information about the esd-l
mailing list