Re: [Exim] virurstest.org test #19

Top Page
Delete this message
Reply to this message
Author: David
Date:  
To: exim-users
Subject: Re: [Exim] virurstest.org test #19
Hi !!

>>I was trying the tests a www.virustest.org and noticed that
>>test #19 "Blank Folding Vulnerability" , which sends an email
>>with a header line that contains only one white space or tab
>>makes exim think that headers terminate at that line. Altough
>>the resulting message is broken as exim breaks the headers at
>>that point, making the virus 'unusable', this makes not possible
>>to detect that circumstance using match on $message_headers and
>>prevents the viruscannner to detect the virus, so the broken
>>message reaches the end user. Any way to detect this vulnerability ?
>
> Which version of Exim?


4.30 + exiscan 16

> I have just run a test in which I included a line such as you describe
> in the headers, and Exim handled it correctly. That is, it did NOT
> terminate the header at that point.


when I check test #19 at www.virustest.org I get the following:

 From - Sat Mar 27 11:27:57 2004
X-UIDL: UID39583-1069500867
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-path: <tester@???>
Envelope-to: david@???
Delivery-date: Sat, 27 Mar 2004 11:31:52 +0100
Received: from crc2.excedent.us ([12.5.19.157] helo=mail01.excedent.us)
    by a.mx.ols.es with esmtp (Exim 4.30)
    id 1B7B6W-0007dW-BI
    for david@???; Sat, 27 Mar 2004 11:31:52 +0100
X-Originating-Ip: 80.58.42.235
Message-Id: <992902.@testvirus.org>
Date: Sat, 27 Mar 2004 05:40:13 -0500
From: "TESTVIRUS.org" <tester@???>
To: <david@???>
Subject: Virus Scanner Test #19
Received-SPF: none (rackuk.ols.es: domain of tester@??? does
not designate permitted sender hosts)
X-OLS-Whitelisted: no
X-Virus-Scanned: by ClamAV at a.mx.ols.es on Sat, 27 Mar 2004 11:31:52 +0100
X-Origin-Country: [US]
X-Recipients: 1
X-SPAM-OLSId:
12.5.19.157/tester@???/1B7B6W-0007dW-BI-29358@???


Mime-Version: 1.0
Content-Type: multipart/mixed;


note that the body starts wiht the header line that follows the white
space and all custom headers have been added at that point.

I also tried to match ^\b$ , \n\b\n , \n \n and so on on
$message_headers to find that but no success

I the past i also received such this messages (body starting with
Mime-Version), probably from true viruses.

--
thanx & best regards ...

We give nothing as willingly as our advice.

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------