OCR of the Document

View the Document >>

Australian Government, Email Filtering and Mitigating Circumvention Techniques, May 2004

Email Filtering and Mitigating Circumvention Techniques Steven McLeod Michael Cohen Computer Network Vulnerability Team Defence Signals Directorate Department of Defence May 2004 Information Security Group Agenda • Introduction – Why email filtering – Two goals of email filtering • Bypassing email filters and preventing such activity – Numerous examples that explore the following protocols and file formats while providing context – taking advantage of file formats to include executable code designed to bypass email content filters • Internet Message Format – RFC2822 Information Security Group Agenda • bmp – bitmap specification explored in detail including inserting executable code in bitmaps • zip – zip specification explored in detail including hiding zip files • pdf doc rtf wri html zip – Embedding malicious content Information Security Group Why email filtering – Antivirus software has its place – but that place is not alone on the front line • Viruses are spreading faster than a pattern can be issued and applied and we have seen originally created malicious content targeted at the victim hence it doesn't match a known pattern and hasn’t triggered AV software with heuristic detection – Mail content rewriting is more effective than just blocking or forwarding email • Unpack email remove prohibited files sanitise active content e g javascript repack and forward to recipient • Rewriting circumvents several exploit techniques Information Security Group Two goals of email filtering • Like a firewall an email filter’s job is to enforce a policy and is only as good as the policy • Consider the following goals when designing the policy – Prevent delivery of emails of an executable nature that only require the non security conscious user to double click for the executable content to run • e g attachments ending in exe com pif scr or zip files containing such files – Prevent delivery of emails of an executable nature that are somehow disguised and require social engineering of the user to extract and run the executable content • e g exe renamed to txt password protected zip file • Internal users use such tricks to circumvent traditional email filters An attacker is therefore an internet or external user who is attempting to circumvent the “no executable content allowed” policy regardless of their motive Information Security Group Bypassing email filters and preventing such activity • Bypassing email filters – Extracts from a test suite I compiled with 400 test cases created to test the networks of our government customers • Preventing such activity – Insights into the email filtering software we wrote to better meet our requirements than the COTS products we have encountered so far • Written in python by my colleague Michael Cohen A self booting Linux CD that reads its configuration file from a floppy disk Information Security Group Bypassing email filters and preventing such activity • Typical block fail action is to replace the prohibited file with a text file describing the matching policy rule and forward the original email but with the replaced file to the original email recipient – Can be configured to not deliver emails matching certain criteria which is useful for viruses that propagate via email Users don’t want 100 emails that were previously infected but have been neutered Information Security Group Agenda - update • Blocking attachments by extension • Allowing by file type • Combining extension file type and content-type checks • Testing RFC 2822 Internet message format • Detecting malicious content in otherwise allowed files pdf doc rtf wri html zip • Operating system dependent problems • Email server tests Information Security Group Blocking attachments by extension • Like a firewall rule set define what you allow and reject the rest – e g doc xls png jpg gif bmp pdf … • If you attempt to list potentially malicious file extensions – e g bat cmd com exe hta js jse pif reg scr shs vbe vbs wsh … Information Security Group Blocking attachments by extension • You will inevitably miss some – msg oft eml attachments are emails themselves and may contain file attachments with potentially malicious file extensions Furthermore a saved draft Outlook Express email eml file containing a malicious file attachment is saved in plain text format – msi msp Windows Installer Package Patch Information Security Group Blocking attachments by extension – uue cab bhx and other formats that software on the user’s workstation can decode decompress with just a double click Information Security Group Blocking attachments by extension – File extensions containing characters reserved by Microsoft • Some email clients silently strip out reserved characters while other email clients replace them with an underscore Content-Type application octet-stream name file172 com Content-Transfer-Encoding base64 Content-Disposition attachment filename file172 com Information Security Group Blocking attachments by extension – Files with no filename – Files with no extension – Files with uppercase extensions e g somefile eXe – Files with multiple extensions e g somefile bmp com – Files with a classid as an extension • 00020906-0000-0000-C000-000000000046 doc • Demonstration – Example files with a classid extension or no extension are opened by the appropriate application Information Security Group 21 12515 Eile Eclit Eieyi I ngorites G eckr Er _1 Folclers 53 Desktop - My Documents 1 My Music Agjress 3 My Pictures - j My Computer 399 151 in Local Disk Documents encl Settings Program Files 1 41 System Iy'olume InFormeti osPnocom on Control Panel Sherecl Documents -lJ Steye's Documents My Network Places gil Ftecycle Eiin it Iools Help Search Folclers 1' Meme test El test E3 test cloc Size 19 KB 19 KB 19 KB EIIEJ an Type File MicrosoFt Document MicrosoFt Document Blocking attachments by extension • It is evident that allowing file extensions deemed to be safe is preferable to trying to block all the possibly malicious extensions Information Security Group Allowing by file type • Used to prevent users circumventing the email policy by renaming the cute scr screen saver they absolutely must share with their friends to a file with a txt extension • A virus may propagate via email with a “nonmalicious” file extension and the email social engineers the user into renaming the file Information Security Group Allowing by file type • File typing does have some limitations – A saved draft Outlook Express email file containing a malicious file attachment is saved in plain text format – A com file renamed to txt will typically be allowed by email filters since com files have no fixed format and no fixed sequence of bytes signature that they are guaranteed to begin with • Our mail filter specifies that a txt file should only contain characters able to be typed on the keyboard including carriage return and line feed This will block the vast majority of com files renamed to txt though some code consists of only alphanumeric characters Information Security Group Eile Edit Eiew e Ecckmarke Iccle indcw elp 03 J 0 rd Fa Untitled Phrack Inc Vclume Dk h DEBS Phile #Dk f cf UklE Tcdaw mcre and mcre ekplcite need tc be written ueing particularly tc write claeeical fcr huffer cr fcrmat etring Han achiewe pcwerfull input filtering ueing functicne like etrepn j cr etrcepn j it prewente pecple eaeilw ineerting in different huffere In the eame way we cheerwe mcre and mcre IDS detecting euepicicue eeguencee ecme cf them indicating the cf a Dne waw tc ewade euch pattern matching techniguee ie tc etuff like ueing tccle euch ae DHmutate waw tc dc thie ie gcing tc he here we'll try tc write filterahle ueing alphanumeric chare mcre precieelw we'll chare like and DJ Hug Allowing by file type bitmap files • More advanced file type evasion techniques – A legitimate bitmap file that is also an executable program Program can be executed by changing file extension or possibly automatically executed using a vulnerability in an email client or web browser e g specify content-type as application octet-stream instead of image bmp • Perhaps the email program will present a dialog box to the user asking them if they want to run open picture bmp The user believing that bitmap files just contain non-executable pixel data will click Yes resulting in the file being executed as opposed to the bitmap file being displayed by an image viewer Information Security Group Allowing by file type bitmap files – http www coco3 com text doc_BMP txt typedef struct tagBITMAPFILEHEADER UINT bfType DWORD bfSize UINT bfReserved1 UINT bfReserved2 DWORD bfOffBits BITMAPFILEHEADER bmfh The BITMAPFILEHEADER structure contains information about the type size and layout of a device-independent bitmap DIB file Member Description bfType Specifies the type of file This member must be BM bfSize Specifies the size of the file in bytes bfReserved1 Reserved must be set to zero bfReserved2 Reserved must be set to zero bfOffBits Specifies the byte offset from the BITMAPFILEHEADER structure to the actual bitmap data in the file Information Security Group Allowing by file type bitmap files Member bfType bfSize Description Specifies the type of file This member must be BM Specifies the size of the file in bytes DWORD bfSize • Originally I overwrote three of the four size bytes with a jump instruction to my code at the end of the bitmap – Security is a cat and mouse game – Bad news • No image viewer seemed to use the size value e g for allocating memory corresponding to the size of the bitmap file so this attack vector worked – There is a more useful field for image viewers in the following header structure biSizeImage Specifies the size in bytes of the image – Good news • A sophisticated email content filter could check if bfSize the actual size of the bitmap file Information Security Group Allowing by file type bitmap files – Bad news • Such a check could be defeated by appending junk to the end of the bitmap file The junk is ignored by all of the bitmap viewers I tested since the bitmap viewers know how many bytes they need to read – Good news • A very sophisticated email content filter may be able to detect the extra data executable code and padding if it understands the bitmap file format For example check the picture height width and image size values in the header and ensure there is just enough data in the bitmap file to describe each pixel with no data i e executable code or padding left over – Bad news • An attacker could modify the the picture height width and image size values in the header etc etc etc etc Information Security Group Allowing by file type bitmap files – Steve how come you are still talking about bitmap files • Users are constantly looking for ways to defeat the “overly restrictive” security mechanisms implemented by the “bastard” system administrator • They can use this technique to send uudecode com inside a bitmap file from their home Internet account to their work email address Then they can send the uuencoded version of uuencode com from home to their work account Afterwards they can send receive any file of any type to from their friends or home account by uuencoding uudecoding it resulting in them emailing “safe” plain text txt file attachments or embedding the uuencoded data as plain text in the email itself with no attachment • EICAR test virus is represented as the following plain text begin 644 eicar com M6#5 5 E0$%06S1 4%I8-30H4%XI-T-# 3 $5 0T%2 5-404Y$05 $ 4% 95$E625 54RU415-4 49 3$4A $@K2 H- @ end Information Security Group Allowing by file type bitmap files – Bad news • I devised another method to include executable code in a bitmap file designed to evade the email content filter Let’s have another look at the bitmap specifications typedef struct tagBITMAPFILEHEADER bmfh DWORD bfOffBits BITMAPFILEHEADER bfOffBits Specifies the byte offset from the BITMAPFILEHEADER structure to the actual bitmap data in the file • This allows me to create a bitmap file in the format of BITMAPFILEHEADER then the BITMAPINFOHEADER part of BITMAPINFO executable content followed by the “actual bitmap data in the file” – In this example the code is close to the start of the bitmap file instead of at the end and only requires two bytes to jump to it resulting in the ability to create a smaller less than 65k bitmap file which conforms entirely with the bitmap specifications and may not require padding to ensure that the total file size is the same size as the jump instruction Information Security Group Allowing by file type bitmap files • Demonstration – Bitmap file containing potentially malicious executable code Information Security Group E3 gamma-mama Rteete ren pieture hnp pieture een Hteete pieture uteuen HeLeed e Diek Epaee Haxinieatien Utility any key te fermat yeur hard diek er any ether key te exit - juet kidding Hteete Fiji Eemmand Prempt - hieH pieture hmp ieture hn 3333316F 33333333 42 43 31-33 33333313 33 33 2F 33-33 33333323 33 33 93 2D-33 33333333 33 33 33 33-33 13nE HP 9 33333343 31 CD 21 34-13 H1 33333353 GE 31 ED 21-33 L IEEteue 33333363 BE 23 4D 63-43 HeLeed e Diek 333333 3 53 3 61 63-65 Epaee Haxinieati 33333333 EF BE 23 55- 4 en UtilityIEEree 33333393fur 33333333 ED 61 4 23- 9 mat yeur hard di 33333333 3 EB 23 ek er any ether 33333333 EE ES 9 23- 4 key to exit - ju 33333333 3 4 23 63-69 at kidding f 333333E3 33 33 33 33-33 333333F3 33 33 33 33-33 33333133 33 33 33 33-33 33333113 33 33 33 33-33 33333123 33 33 33 33-33 33333133 33 33 33 33-33 33333143 33 33 33 33-33 33333153 33 33 33 33-33 33333163 33 33 33 33-33 1 2 3 4 '1 icture hm 33333333 33333331 I 33333333 33333335 I 3333333 33333333 I 33333333 3333333F 33333311 I 33333313 33333315 I 33333313 33333313 33333333 33333333 I 33333333 ili 43 43 E33133 3333 3333 3333 3333 3333 3333 333F 3333 335133 3333 3133 1333 3333 3333 33 333333 45E3333 33333333 a1E_ dx hp 333333333 ch h1 hx ch hx di 33 ax 33333 cx 33333 -ID I Hiew 5 34 3331 31 5 31% 3 - if 959' - 5 3 Allowing by file type bmp zip • Change focus from bmp to zip starting with an example that includes both file formats – A zip file appended to a bitmap file will have a file type of bitmap and will therefore be allowed by traditional email content filters – Tested zip utilities Winzip linux unzip pkunzip ignore the bitmap data and see a valid zip file Why is this • Reviewing the source code to linux unzip shows that it reads at least 65557 bytes in case there is a comment in the zip file backwards from the end of the zip file searching for the end of central directory record This record includes the offset in the zip file where the central directory record is located Information Security Group Eile Edit Eiew e E lil al l i Ieels intlew elp 03 J PHWAHE - Enterprise Selutiens - Ill General Fermat if a ZIP file Files steretl in arbitrary ertler Lerge sip les een span multiple diskette mettle er lee split inte user-de ned segment sizes Ciwerell zip le fermet le neesleri le date 1 dete_tleseripter i le header n le data n dete_tleseripter n eentrel tlireeterp sipE-il ensl ef eentrel slireetery zipE-4 entl ef eentrel tlireetery entl ef eentrel tlireeterp I ll 1 i351 Deeurnent Dene 1 641 sees Ate-E Eile Edit Eiew e eekmerke Ieele indew Help 03 J in - Enterprise Selutiene - wen G End bfeentral dir reenrd enei ef eentrel uir signature 4 bytes number eftbie diet 2 betee number eftne diet with the etert eftne eentrel uireetere betee tetel number efentriee in the central tiireetery en tnie diet 2 bytee tetel number efentriee in the central direetery betee eftbe eentrel directeru 4 butee effeet ef etert ef eentrel uireetery 4 butee reebeette the starting number tile eemment length 2 betee tile eemment eerieble eizeji ii I Deeument Dene 1 541 Eile Edit Eiew e eeltmarlts Ieels indew eln 03 J 4 I 11s PKWAHE - Enterprise Selutiens - D Central dire-stem r structure In le header 1 ' le header n digital signature end efeentral direetertr le header eentral le header signature 4 bytes sersien made he 2 bytes sersien needed te ei-rtraet 2 bytes general purnese hit ag 2 hetes eempressien methed 2 bytes last med le time 2 bytes last med le date 2 bytes ere 32 4 bytes eempressed size 4 bytes uneempressed size 4 bytes le name length 2 bytes extra eld length 2 hetes le eemment length 2 bytes dislt numlser start 2 bytes internal le attributes 2 bytes external le attributes 4 bytes relatiire e set ef leeal header 4 bytes le name variable size et-rtra eld variable size le eemment sariahle size 1-- 4 CE Deeument Dene l 541 sees Extract of source code to linux unzip utility Overview process_zipfiles calls do_seekable do_seekable calls find_ecrec do_seekable then calls uz_end_central Source code extract --------------------------------------------------------------------------process c This file contains the top-level routines for processing multiple zipfiles --------------------------------------------------------------------------- Function do_seekable Information Security Group --------------------------------------------------------------------------Open the zipfile for reading in BINARY mode to prevent CR LF translation which would corrupt the bit streams --------------------------------------------------------------------------- --------------------------------------------------------------------------Find and process the end-of-central-directory header check last 65557 bytes of zipfile UnZip need only comment may be up to 65535 end-of- central-directory record is 18 bytes and signature itself is 4 bytes add some to allow for appended garbage Since ZipInfo is often used as a debugging tool search the whole zipfile if zipinfo_mode is true --------------------------------------------------------------------------- calls find_ecrec which consists of ----------------------------------------------------------------------Loop through blocks of zipfile data starting at the end and going toward the beginning In general need not check whole zipfile for signature but may want to do so if testing ----------------------------------------------------------------------- Information Security Group calls uz_end_central which consists of --------------------------------------------------------------------------Get the zipfile comment up to 64KB long if any and print it out Then position the file pointer to the beginning of the central directory and fill buffer --------------------------------------------------------------------------- ----------------------------------------------------------------------list extract or test member files as instructed and close the zipfile ----------------------------------------------------------------------- end function do_seekable Information Security Group Allowing by file type bmp zip • Demonstration – Bitmap file prepended to a zip file containing potentially malicious executable code Information Security Group pic1 hn1p - Paint Eile Edit wen-H I lrnege gelere elp I l II l l Ill l l l Fer Help click Help Tepice en the Help Menu yie1 hmp 1 fileie enpied ' Hteete Winlip Evaluatiun Versiunl - Eile ctiene thiens Help I 2 IIiillzuen Fluid Heme Size F'eth eI File5_ Tetel 1 File ERIE stewefg mp eets Shell BEE in 1 it i an E etti r195 eteweEl teete $ File pie1 bmp pie1 bmp PE bitmap data Hindewe 3 z Fermat 54 24 eteweEl teete $ File Eip arehiwe data at leaet w2 te extraet eteweEl teete $ unzip -l Hrehiwe Length Date Time Name 1155 EUI53 1155 1 File eteweEl teete $ eat pie1 bmp pie2 bmp eteweEl teete $ File pieE bmp pie2 bmp PC bitmap data Hindewe 3 z Fermat 5d 24 eteweEl teete $ unzip -l pie2 bmp -Hrehiwe pieE bmp warning pie2 bmp 15535 extra bgtee at beginning er within zipFile attempting te angwag Length Date Time Name 1155 EUI55 1155 1 File eteweEl teete $ unzip pie2 bmp _Hrehiwe pie2 bmp warning pie2 bmp I 15535 extra bgtee at beginning er within zipFile attempting te angwag inFlating eteweEl teete $ I Allowing by file type bmp zip – Good news • Our email content filter addresses this problem by running unzip on all file attachments regardless of their extension or file type – Bad news • Two variants of combining a bitmap file with a zip file containing an executable file – Combine a zip file containing a text file with a zip file containing an executable file – Combine a zip file containing an executable file with a zip file containing a text file Information Security Group Allowing by file type zip zip • In these cases where a zip file is actually two zip files combined some unzip implementations will see the zip file with the text file while others will see the zip file with the executable file As long as the mail filter unzip utility behaves differently to the unzip utility on the email recipient’s workstation executable content can be emailed to a user and subsequently executed and the email content scanner only saw a text file – Good news • Solution our email content filter repackages zip files removing the original zip file attachment and replacing it with a newly created zip file – If it sees a zip file containing a text file it creates a new zip file places the text file in it attaches it to the email and forwards it to the email recipient – If it sees a zip file containing an executable file it creates a new zip file places the text file blocked_message txt in it attaches it to the email and forwards it to the email recipient Information Security Group Combining extension file type and content-type checks • Combine checking techniques to create a complete rule set • Don’t just allow “files with a doc extension” or “files of type Microsoft Office Document” or “file attachments with a content-type of type application msword” especially since the content-type can be set to an arbitrary value by an attacker Information Security Group Combining extension file type and content-type checks • For increased accuracy combine the rules – only allow a file attachment with doc extension if it is also of type Microsoft Office Document and preferably has a content-type of application msword – e g this combination provided proactive protection against the publicly circulated exploit for the recent serious vulnerability in the Microsoft WordPerfect Converter used by Word and other Microsoft products Information Security Group - SeeuritHFeeue heme uulhe ltlethehFeet Eehuehteh EuFFeh Duehhun 'u'ul - Hezille Elgi Eile Edit e IIZIIZIIE irt I21 elp 1 The and El t'ILtr'r'Il er' etherLn't'e ThiE eeultt reeult in ef eette e peremeterE i5 re eeE ted by the eernpenent permit Ett'l te ertJitrery eette the ef the neer eper'lir'lg the I Lt rr'ler'lt iE-w eteve@1 m11pfteets Shell Itansule r 15 7 15 7 15 75 12 75 Edit Eiet tir'IgE Help eteueEl teete $ File teet dee teet deet DFFiee Deeument eteueEl teete $ File mpe_expleit dee mpe_expleit dee EerelHHP eteueEl teete $ I Testing RFC 2822 Internet message format • Test various email encoding combinations – uuencoded mime quoted printable base64 8 bit headers – The file name file100 com can be represented as • Content-Type application octet-stream name ISO-8859-1 Q 66 69 6C 65 31 30 30 2E 63 6F 6D Content-Transfer-Encoding base64 Content-Disposition attachment filename ISO-8859-1 Q 66 69 6C 65 31 30 30 2E 63 6F 6D – Consider file bmp com encoded as • name ISO-8859-1 Q 66 69 6C 65 2E 62 6D 70 2E 63 6F 6D • name ISO-8859-1 Q 66 69 6C 65 2E 62 6D 70 0D 2E 63 6F 6D • name ISO-8859-1 Q 66 69 6C 65 2E 62 6D 70 0A 2E 63 6F 6D • name ISO-8859-1 Q 66 69 6C 65 2E 62 6D 70 0D 0A 2E 63 6F 6D Information Security Group Testing RFC 2822 Internet message format • Constructs with implementation dependent handling Attackers want the email content filter to behave differently to the email client on the email recipient’s workstation – File names such as • file40 com CR txt where CR is carriage return • file41 com LF txt where LF is line feed • file40 txt CR com • file41 txt LF com • file112 bmp com Information Security Group email looks like filename file112 bmp com Testing RFC 2822 Internet message format – File name can be specified in four different places • Content-Type application msword name file347 com filename file347 doc Content-Transfer-Encoding base64 Content-Disposition attachment filename file347 doc name file347 doc • Content-Type application msword name file348 doc filename file348 com Content-Transfer-Encoding base64 Content-Disposition attachment filename file348 doc name file348 doc“ • etc Information Security Group Testing RFC 2822 Internet message format – Introduced errors and non-conformance • 2 2 Header Fields Header fields are lines composed of a field name followed by a colon followed by a field body and terminated by CRLF A field name MUST be composed of printable US-ASCII characters i e characters that have values between 33 and 126 inclusive except colon A field body may be composed of any US-ASCII characters except for CR and LF • Subject test case 360 MIME-Version 1 0 Content-Type multipart mixed boundary ---- _NextPart_000_000A_01C3A6F9 17A0FD81 Content-Type multipart mixed boundary ---- _NextPart_000_000A_01C3A6F9 17A0FD80 X-MimeOLE Just another header ------ _NextPart_000_000A_01C3A6F9 17A0FD80 Content-Type application octet-stream name file360 com Content-Transfer-Encoding base64 Content-Disposition attachment filename file360 com 62SQDQpJbnB1dCBwYXRoL2ZpbGU6ICBJbnB1dCBmaWxlIGVycm9yLk91dHB1dCBmaWxlIGVy cm9y Information Security Group Testing RFC 2822 Internet message format – A small com file with no file name content-disposition set to inline content-type set to • application octet-stream • image bmp • message rfc822 Information Security Group Detecting malicious content in otherwise allowed files pdf • Additional testing is required for some types of files that have an allowed file extension and an allowed file type – Check if a pdf file contains potentially malicious active content • Depending on the version of Acrobat installed active content in a pdf file can send emails without user interaction using Adobe's extension to javascript – Acrobat JavaScript Scripting Reference http partners adobe com asn acrobat sdk public docs AcroJS pdf Information Security Group item 33 Introduction JavaScript is the cross platform scripting language of Adobe Acrobat Through its JavaScript extensions Acrobat exposes much of the functionality of the viewer and its piugins to the document author form designer This functionality which was originallyr designed for withinvdocument processing of forms has been expanded and extended in recent versions ofAcrobat to include the use of JavaScript in batch processing of collections of PDF documents for developing and maintaining an online collaboration scheme and for communicating with local databases through ADBC Acrobat JavaScript objects properties and methods can also be accessed through Visual Basic to automate the processing of PDF documents What s In This Document I Acrobat JavaScript Scripting Reference Describes in detail all objects properties and methods within the Acrobat extension to JavaScript and gives code examples 4 n Page is of 414 Em ouit' mailMsg 4 0 Acrobat JavaScript Scripting Reference Methods Sends out an e-mail message with or without user interaction See also mai 1G2t ddrs mai1 oo mai lFo rmand Raport mail More Dn Windows The client machine must have its default mail program con gured to be enabled in order to use this method Parameters oBco oSuhjeet oMsg Indicates whether user interaction is required if true the remaining parameters are used to seed the compose n ew mes sage window that is displayed to the user if false the CTD parameter is required and others are optional A semicolonnseparated list of addressees optional A se micolonvseparated list of CC addressees optional A semicoloneseparated list of SEC addressees optional Subject line text The length limit is 64k bytes optional Mail message text The length limit is 64k bytes 4- - 4 e Detecting malicious content in otherwise allowed files doc rtf wri – Check if a doc file contains potentially malicious active content such as macros – Check if a doc rtf wri contains an embedded packaged object consisting of executable code • Microsoft Word warns the user if they double click on an embedded file • Microsoft WordPad does not have this security functionality Double clicking executes the embedded file without prompting the user • wri files are therefore very dangerous especially since embedded objects can be given an arbitrary icon and a displayed file name to socially engineer a user into double clicking rtf files are similarly very dangerous unless Word is installed and configured to handle rtf files • Demonstration – rtf with embedded potentially malicious executable code Information Security Group LI I 'l Eile Edit ies I Ippls Message elp as a s3 u- Flepl'ir Replyr Fill Fprward F'rint Delete Frem Eielinda FLese Date ii'ipnda'irJ January 12J 2004 EH13 AM To Webmaster Subject Eirplten links en spur site Attach Hi We visiting peur web site Ineticed seine brel-ten linl-ts Ihaire included mere detailed inferinatien and a screenshet in the attached iieh test le Regards hits Belinda Base 14 I I I Bil-i Eile Edit Eiew Insert Fgrmat elp psi 5% Epurierl'lew Western 1 E tl Hi I was visiting ppur web site and let me say that I fpund it very interesting and I nptieed a seripus errpr pn pne pf the web pages braken links sp I am sending this email tp ppu I have included a Paintbrush bitmap bmpi in prder tp help ppu 1 Keep up the great mark and I hppe that I have been pf assistance Regards Belinda Rpse Fer HelpJ press F1 r eu've HACKED DWNED I Questiun 32 Tunnel sensitive Files Frem your network to a web site en the Internet II Detecting malicious content in otherwise allowed files html • Does a htm html email or file attachment contain potentially malicious active content – HTML emails and attachments are just plain evil mostly due to a never ending stream of vulnerabilities and a very slow vendor response time for the associated patches in a particular web browser that many Windows email clients use to render HTML emails Unfortunately blocking HTML emails outright tends to result in user outcry – Some email clients can be configured to disallow the execution of script but the html attachments will be opened by the default web browser Information Security Group Detecting malicious content in otherwise allowed files html – Not good enough to just search for sanitise tags such as applet object script since javascript can be executed without script tags • Demonstration – HTML without script tags executing javascript html body Here is some b onmouseover alert 'Hacked ' bold b text body html Information Security Group - '3 a '30 is Inr' Micrusuft Internet 3 Ha I d I Elk Detecting malicious content in otherwise allowed files zip • Zip files are commonly used in business so you typically have to allow them as an accepted file type • However including the ability to process zip files opens up many additional attack vectors • Standard testing involves determining if the zip file only contains files of an accepted type and extension – Several viruses worms trojans consist of executable content inside a zip file This defeats email content filters that can’t process zip files and only requires an additional double click by the user to run the executable content Information Security Group Eile Edit yiew e Eeehrnarlae Ieele ihdew Help J '5 Sephee yirue ahalyeie TrejrSyehLig-Fi 1 Deae p en TrejrSyehug-Fn ie a haehdeer Trejah that eteale eyeterri ihferrnatieh ahd epehe up a haekdeer te allew LihaLitheriaed tn the eernprerriiaed eernputer Thie Trejah heree has been distributed in the farm at an ernail with the fellewihg eharaeterietiee Frum jarneeEDDEr'rjihetrnaileern Subject line He 2 lylary Message text Helle rny deer lylary haye heeh thihitihg aheut yeLi ell night weLiId te apelegize ferthe ether night when we made heautifLil leye and did het Liee eehderne hhewthie was a mistake and I beg yeti te fergiye rrie lrniee yeLi rnere than anything please call me lylary I need yeLi De yeti remember when we were haying wild in my heuee I remember it all like it was 3th yesterday trad said that the pictures weuld het eerne eut deed hut year were yery wrehg they are great I didn't wahtte ehew year the pictures at rst hut new I thihlt it'e tirne fer yeti te see them leak in the attachment and yen will see whatl meah lleye year with all my heart darnee Attached le F'riyate zip eehtaihe wehdyhaltedipgeaeji 1 E Detecting malicious content in otherwise allowed files zip • Determining if the zip file only contains files of an accepted type and extension - do not just perform a directory listing of the files inside the zip file – Files must be extracted so that file typing can be performed – What you see is not what you get A directory listing of the files inside a zip file is not an accurate representation of the files actually in the zip file since file attributes such as file name are stored in two places for each file Information Security Group Eile Edit Eiew e E lil al l i Ieels intlew elp 03 J PHWAHE - Enterprise Selutiens - Ill General Fermat if a ZIP file Files steretl in arbitrary ertler Lerge sip les een span multiple diskette mettle er lee split inte user-de ned segment sizes Ciwerell zip le fermet le neesleri le date 1 dete_tleseripter i le header n le data n dete_tleseripter n eentrel tlireeterp sipE-il ensl ef eentrel slireetery zipE-4 entl ef eentrel tlireetery entl ef eentrel tlireeterp I ll 1 i351 Deeurnent Dene 1 641 sees Ate-E Eile Edit Eiew ED Ibbls indbw Help - Enterbrise Seldtibns - A Leeal le header Ideal le nea yersidn need der signature 4 bytes ed tn extract 2 bytes general burbbse bit ag 2 bytes eernbressibn rnetnbd 2 bytes last le time 2 bytes last le date 2 bytes ere 32 4 bytes eernbressed size 4 bytes unearnbressed size 4 bytes le name length 2 bytes extra eld length 2 bytes le name yariable size extra eld yariable size ii I It i Document Dene 1 Ei41 sees 4113' 3 Eile Edit Eiew e Eeelqmarlqs Ieels indew elb 03 J J I'i I is Enterprise Selutiens D Central direetbry structure le header 1 ' le header n digital signature end at central direetery le header eentral le header signature 4 bytes yersien made by 2 bytes yersien needed te ei-rtraet 2 bytes general burbese bit ag 2 bytes eembressien metned 2 bytes last med le time 2 bytes last med le date 2 bytes ere 32 4 bytes sembressed size 4 bytes uneembressed size 4 bytes le name length 2 bytes extra eld length 2 bytes le eemment length 2 bytes disl number start 2 bytes internal le attributes 2 bytes ei-rternal le attributes 4 bytes relatiye e set efleeal beader4 bytes le name yariable size extra eld yariable size le eemment yariable size 1 CE Deeument Dene 1 641 sees Ilrl 1ila Detecting malicious content in otherwise allowed files zip • Our email content filter checks that each file name matches its entry in the central directory record and disallows the email attachment if this is not the case • Demonstration – Mismatching file names in a zip file Information Security Group Detecting malicious content in otherwise allowed files zip • Password protected zip files – Disallowed by our email content filter – Although a directory listing of the files inside a password protected zip file can be performed this is not accurate as previously discussed – The type of files inside a password protected zip file can’t be determined Information Security Group Detecting malicious content in otherwise allowed files zip • Zip files containing zip files – Disallowed by our email content filter – We have found it trivial to DoS “market leading” email content filters by using a zip file containing 16 zip files each of which contain 16 zip files each of which contain 16 zip files… A depth of 5 results in over one million zip files to be processed Information Security Group Detecting malicious content in otherwise allowed files zip • Must extract zip file contents in order to inspect them – We have found it trivial to DoS “market leading” email content filters by using a 1GB file containing spaces that compresses to 1MB – Some antivirus programs suffer from the same problem – Before unzipping the file can we examine the central directory record to determine the size of the file when decompressed Yes but it is very unreliable Information Security Group Detecting malicious content in otherwise allowed files zip • Our email content filter solves this problem via the use of CPU memory disk quotas If the unzip failed for example because the quota was reached or the zip file was corrupt or password protected then the email attachment is disallowed Information Security Group Detecting malicious content in otherwise allowed files zip • Directory traversal and specifying the destination directory – An attacker’s dream come true Just send an email with a zip attachment containing malicious versions of system files and the email content filter will rootkit itself – File attachments and files inside zip files with names • winnt system32 cmd exe • winnt system32 cmd exe • winnt system32 cmd exe • winnt system32 cmd exe • winnt profiles administrator startm 1 programs startup badfile com • bin sh where is hex 7F – Our email content filter addresses this issue by extracting files into memory Information Security Group Detecting malicious content in otherwise allowed files zip • Duplicates that test logic and error handling – An email with two attachments both called file106 zip where the first zip file contains a text file called blah txt and the second zip file contains a malicious executable program called bad exe • Also vice versa first zip has program second zip has text file • While unpacking the email will the email content filter overwrite the zip file containing the executable with the zip file containing the text file and then incorrectly forward the email to the original recipient • Our email content filter handles this by analysing file attachments one at a time Information Security Group Detecting malicious content in otherwise allowed files zip – A zip file containing a text file called dir txt and a malicious program called dir txt file268 com where dir txt is a subdirectory • Also test a zip file with the files in the opposite order • A directory can’t be created if there is already a file by the same name therefore the program is not extracted and examined by the email content filter • Our email content filter handles this by decompressing and analysing files one at a time Information Security Group Detecting malicious content in otherwise allowed files zip – A zip file containing a text file called file271 com file271 txt and a malicious program called file271 com • Also test a zip file with the files in the opposite order • A file can’t be created if there is already a directory by the same name therefore the program is not extracted and examined by the email content filter • Our email content filter handles this by decompressing and analysing files one at a time Information Security Group Detecting malicious content in otherwise allowed files zip – An email containing the file attachment file323 zip • This zip file contains a zip file called file323 zip which contains a malicious program • Will the email content filter overwrite the first file323 zip Information Security Group Detecting malicious content in otherwise allowed files zip – A zip file containing a malicious program called file344 txt and a text file called file344 txt • Also test a zip file with the files in the opposite order • Will the email content filter overwrite the malicious file344 txt with the innocent file344 txt during the unzip phase then perform extension and file type checks and finally forward the email to the original recipient Information Security Group Detecting malicious content in otherwise allowed files zip – A zip file containing a malicious program called null com txt where is hex 00 • Use a hex editor to change to hex 00 • Hex 00 may be interpreted as the end of string terminator • The email content filter may see a file called null com txt while the email client sees a file called null com Information Security Group Operating System dependent problems • Attackers want the email content filter unzip utility to behave differently to the unzip utility on the email recipient’s workstation e g Windows vs Linux – A network of Linux workstations should not be protected by an email content filter running on Windows – A network of Windows workstations can be protected by an email content filter running on Linux or Windows If it is running on Windows it will have limitations but these limitations should be negated by the workstations suffering from the same limitations Information Security Group Operating System dependent problems – Consider a Windows based email content filter that decodes and unzips if necessary file attachments into a directory and then checks the files in that directory • A variety of files may not be created successfully on the Windows file system and therefore may not be extracted and examined by the email content filter • The Linux file system does not have such limitations so a user on a Linux workstation would be able to extract and execute the file – File extensions are of less use in Linux – Users would typically have to go out of their way to assign executable permissions to the file and may be protected by administrator configured Linux security features such as a non-executable home directory Information Security Group Operating System dependent problems • Example files – The file con txt – A zip file containing the file COM1 malware txt i e the file malware txt in the subdirectory COM1 – Files containing characters reserved by Microsoft Information Security Group I Bash Elam ls -a1 tetal 23 2 eteue eteue 143 Jan 14 13 43 3 123 Jan 14 13 34 1 eteue eteue 3 Jan 14 13 43 33H1 1 eteue eteue 31 Jan 14 13 33 1 eteue eteue 33 Jan 14 13 43 had tst 333 tst 1 eteue eteue 33 Jan 14 13 33 een 1 eteue eteue 31 Jan 14 13 33 een eem r- Save As Save As IZIZIFI This File name is a name I This File name is a name Please cheese anI I her' name Please cheese anI I her' name i5 File name I anne I en ain ef the characters El Operating System dependent problems – A zip file containing the file bad txt ADS txt » Will create a 0 byte file called bad txt with the contents of the file hidden in an alternate data stream and inaccessible to the email content filter unless it can specifically handle ADS Information Security Group I Quests Eile Edit ier-i Feverites leels Help Gem 1' it I Seerth Feltlers Figtlress Feltlers NEITIE Desktep iLl 3 My Detuments My Music My Pictures jl My Cemputer 1 41 Sis-S Fleppsr IIFHII -- Letel Dislt if Detuments entl Settings E-P Pregrem Files LJ System InFermeti tests Li WINDUWS 53 ce-ew Drive En - Fteme relzule Centrel F'enel Shared Detuments Stem-'e's Detuments 1 My Netwerlt Plates El Ftetartle Eiin Type Cemeressetl zipped Feltler Ei E 1testslads zip Eile Edit Eien-i I @Eetk 1' hf Figtlress El Feverites leels Help Heme badetmeset Fnlder Tasks Either Places Ifl tests My Detuments Ifl Shared Detuments My Netwerk Places Search H - Feltlers Type Te - t Detument w an Packed Size Size IKE 15KB Extracticn Wizard Select a Dectinaticn Filea ihaide the archive will he e - tracted tc the Iccatich 5 ch chccae Select a fclder tc e - tract filea tc Filea will he e - tracted tc thia E teata uada Exhac hg Each Her-rt Eahcel I Eile Edit ier-i Feverites leels Help Gem 1' it I Seerth Feltlers Figtlress Fellzlers Name Size Type a a KB Text Detument Desktee 3 My Detuments My Music My Pictures jl My Cemputer 41 33-3 Fleppsr IIFHII --4P Letel Dislt if Detuments entl Settir pics Pregrem Files System 'u'elume InFerr tests _ ll eels ce-ew Drive En Fteme relzule Centrel F'enel 1 Shared Detuments Stem-'e's Detuments Operating System dependent problems – An email content filter running on Linux that improperly calls unzip may be vulnerable to file attachments with the following names • file263 zip touch tmp test263 file263 zip • file264 zip touch tmp test264 file264 zip • file265 zip touch tmp test265 file265 zip • -o -q -d tmp file267 zip Information Security Group Email server tests • If the email content filter is also running email server software test for typical email server vulnerabilities – Email relaying where an external attacker causes the email server to send an email to an external recipient • Standard email relaying Can attempt to bypass anti-relay measures using a FROM address of root@localhost or root@ 127 0 0 1 • Specify the target email address as the FROM and send the email to a non-existent user so that the bounce message carries the spam or malicious attachment Information Security Group Email server tests • Delivery Status Notification DSN e g MAIL FROM thirdparty@somewhere org RET FULL RCPT TO a_legitimate_user@legitimate_domain_name NOTIFY SUCCESS FAILURE DELAY data Hi Please double click on the attachment – Determine the number of listening email connections and their timeout value – Send an email to someemaillist@targetdomain com with a delivery and read receipt - some email server implementations will disclose who is on the mailing list Information Security Group Email server tests – Use EXPN and VRFY verbs to determine if accounts can be enumerated • joe • root • postmaster • skdnjfsdsdjbgsdgj – Specify the following RCPT TO values to determine if accounts can be enumerated • joe • root • postmaster • skdnjfsdsdjbgsdgj Information Security Group Conclusions • Threats are viruses and attackers sending malicious emails to uneducated users – The educated users are too busy trying to beat the system • Allowing “safe” file extensions is preferable to blocking all of the possibly malicious extensions • File typing complements file extension checks • “Safe” file types and file extensions may require further checks Information Security Group Conclusions • A dedicated user can beat the system Facilitated by – File formats that allow the inclusion of code bmp or extra arbitrary data that is ignored zip – Windows based email content filters that inherit the limitations of the OS – Utilities such as uuencode com and uudecode com – The Windows com file format - there isn’t one Information Security Group Australiae Gevernment eStl Department of Defence Information Security Group