SurfControl Filter for SMTP v4.6 filtering technology can be easily bypassed when more than 16 zip files are nested inside of a zip file. The filter only scans the first 15 files inside of a zip file, therefore allowing malicious files through.
7f7a7c8a3fdfd9d45c5ba94f09507688d327706df17639120f7454885acb3b89<html>
<title> Network Penetration .com </title>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Description" CONTENT="Network Penetration - security research and tools.">
<META NAME="Keywords" CONTENT="network penetration it security computer hacking hack whitehat blackhat">
</head>
<!-- written by Lee@networkpenetration.com -->
<body bgcolor=00369B link=A5EdEa vlink=A3EbE8 alink=A4ECE9></body>
<table border=0 CELLSPACING=7 CELLPADDING=7>
<TR>
<TD valign=top width=150>
<table border=0 CELLSPACING=3 CELLPADDING=3>
<tr>
<TD valign=top width=150 align=center>
<img src="images/enp.jpg" alt="">
</td>
<tr>
<TD valign=top width=150 align=center>
<!-- not done yet
<a href="about.html">
<img src="images/btnAbout.jpg" border=0 alt="about"></a>
-->
</td>
<tr>
<TD valign=top width=150 align=center>
<a href="papers.html">
<img src="images/btnPapers.jpg" border=0 alt="papers"></a>
</td>
<tr>
<TD valign=top width=150 align=center>
<a href="advisories.html">
<img src="images/btnAdvisories.jpg" border=0 alt="advisories"></a>
</td>
<tr>
<TD valign=top width=150 align=center>
<a href="downloads.html">
<img src="images/btnDownloads.jpg" border=0 alt="downloads"></a>
<!-- not done yet
</td>
<tr>
<TD valign=top width=150 align=center>
<a href="services.html">
<img src="images/btnServices.jpg" border=0 alt="services"></a>
-->
</td>
<tr>
<TD valign=top width=150 align=center>
<a href="mailto:root@networkpenetration.com">
<img src="images/btnContact.jpg" border=0 alt="root@networkpenetration.com"></a>
</td>
<tr>
<TD valign=top width=150 align=center>
<font style="COLOR: #A4ECE9; FONT: 7pt verdana"><b>
(c)copyright 2003 networkpenetration.com
</b></font>
</td>
</table>
</td>
<TD valign=top>
<table border=0 CELLSPACING=0 CELLPADDING=0>
<tr>
<TD align=center>
<img src="images/netpen.jpg" alt="Network Penetration">
</td>
<tr>
<td>
<img src="images/space.gif" alt="">
</td>
<tr>
<TD align=left>
<!-- contentcontentcontentcontentcontentcontentcontentcontentcontent -->
<!-- insert content here --><font style="COLOR: #A4ECE9; FONT: 7pt verdana"><b>
SurfControl Filter for SMTP v4.6 bypass via nested zips<BR>
::::::::::::::::::::::::::::::::::::::::::::::::::::::-<BR>
Discovered By Lee Bowyer Lee@networkpenetration.com (5/Jul/03)<BR>
<BR>
<BR>
SurfControl Filter for SMTP allows for SurfControl's filtering technology to be bolted on to your existing smtp server.<BR>
<BR>
The rules engine contains a flaw whereby if an attachment is a .zip and it contains more than 15 zip files, the 16th zip file will not be scanned by the filter.<BR>
<BR>
This probably works with other achive/file types and possibly on other SurfControl products.<BR>
<BR>
Bypass<BR>
::::::<BR>
<BR>
In order to bypass the filter build a .zip as below:<BR>
<BR><pre><b>
attach.zip - dummy_folder - a.zip - junk.txt<BR>
- b.zip - junk.txt<BR>
- c.zip - junk.txt<BR>
- d.zip - junk.txt<BR>
- e.zip - junk.txt<BR>
- f.zip - junk.txt<BR>
- g.zip - junk.txt<BR>
- h.zip - junk.txt<BR>
- i.zip - junk.txt<BR>
- j.zip - junk.txt<BR>
- k.zip - junk.txt<BR>
- m.zip - junk.txt<BR>
- n.zip - junk.txt<BR>
- o.zip - junk.txt<BR>
- p.zip - junk.txt<BR>
- z.zip - sneaky.exe << Passes thru!<BR>
<BR></pre>
(The filter sorts the files in attach.zip alphabetically so we name our files a,b,c,etc to be sure that z.zip is last)<BR>
<BR>
<BR>
Recommendation<BR>
::::::::::::::<BR>
<BR>
Tricky, realisticly you can't open all .zips inside .zips - it is very easy to make a very small zip with tens of thousands of zips in, and each of those have many etc. - and if you tried to open such a file you would probably DoS the filter anyhow.<BR>
<BR>
SurfControl have chosen a threshold of 15 zips, which while being a little low is understandable, perhaps some sort of 'excessive archiving' filter is the answer.<BR>
<BR>
<BR>
Network Penetration<BR>
www.networkpenetration.com<BR>
Copyright (c) 2003 Lee Bowyer<BR>
Lee@networkpenetration.com<BR>
<!-- end of content -->
<!-- contentcontentcontentcontentcontentcontentcontentcontentcontent -->
</b>
</font>
<br><br><br><br><br>
<font style="COLOR: #00369B; FONT: 7pt verdana">
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
</font>
</td>
</table>
<!-- written by Lee@networkpenetration.com -->
</html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed