Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Malformed MIMEs can bypass AV - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malformed MIMEs can bypass AV
Over on Quantenblog, they're reporting that malformed MIME attachements can, in some cases, be used to bypass email AV filtering.  It works like this:  because email standards were written back in the day when messages were only text (as God intended), they only guaranteed that 7 of the 8 bits in a byte would make it through.  Now that emails contain everything from spreadsheets and executables to pretty-formatted dancing gerbils, we need a way to send the full 8 bits, while still meeting the original standards.  To do this, we need a means of encoding 8 bit content into 7 bit email messages.  One encoding scheme uses an "alphabet" containing 64 characters, and essentially takes 3 bytes of data and turns them into 4 bytes of encoded information.  This is what Multipurpose Internet Mail Encoding (MIME) and specifically MIME64 is all about.  The standard for MIME encoding (RFC 2045) says that when you're decoding, if you come across a character that isn't part of your "alphabet," you're supposed to ignore it and move on.  The problem arises when an AV engine doesn't follow this standard, and an email program does.  The AV engine doesn't scan the attachement properly, but the email program presents the fully decoded attachment for the end-user's clicking pleasure.

More info: http://www.quantenblog.net/security/virus-scanner-bypass

Update: Hendrick over at Quantenblog asked us to clarify the info on this a bit... In most cases, altering the MIME64 encoded content isn't sufficient to bypass AV.  Additional layers of "multipart/mixed" nestings are required (and in some cases, extreme nesting depths themselves can cause resource exhaustion in AV products).

(Thanks Robert!)
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!