MailMarshal 6.1 SMTP MTA Content Filter Bypass Vulnerability Type / Importance: Active Content Filter Bypass / High Problem Discovered: 24 February 2006 Vendor Contacted: 24 February 2006 Advisory Published: 5 June 2006 ------------------------------------------------- Abstract: Marshal MailMarshal SMTP Server is a popular corporate SMTP e-mail and spam filter application available on the Microsoft Windows Server platform. Description: An active content filter bypass condition exists in Mail Marshal's handling of ACE archives. Technical Details: MailMarshal 6.1 SMTP Server does not unpack and analyse the content of ACE archives, making it possible to circumvent any active content filter by default. For example, by compressing an executable file within an ACE archive it is possible bypass the executable blocking content filters. In short, any file that is blocked by a content filter can still be successfully sent to a recipient (internal or external) from any source, simply by compressing the file within an ACE archive. Vendor & Patch Information: Marshal has stated that this is not a vulnerability within the product and as such, no patches are available. However, Marshal has issued the following workaround for the issue: "Obtaining the external ACE unpacking utility: 1.)download the following from WinACE: http://www.winace.com/files/ace26.exe 2.)double click ace26.exe, and enter "Y" in the command prompt that opens to extract its contents 3.)locate "unace32.exe" in the extracted files. 4.)place "unace32.exe" in the MailMarshal installation directory on EACH NODE in the array if they have multiples (default: C:\Program Files\NetIQ\MailMarshal\) Enabling the Unpacker to extract ACE contents: 1.)open regedit on the Array Manager system, and navigate to HKEY_LOCAL_MACHINE\Software\NetIQ\MailMarshal\ 2.)make note of whether the "Default" key is solely named "Default" or if it is named "Default(1)" 3.)download the attached registry file to the system where the Array Manager resides 4.)if the key noted in step 2 is "Default(1)", make this change accordingly within the attached registry file 5.)rename the attached file from "ACEunpack.rename" to "ACEUnpack.reg" 6.)double click the newly created REG file to apply the changes to the registry 7.)commit configuration changes, and restart the MMController service on each node of the array (thus restarting all dependent services as well, most importantly the MMEngine)" http://www.marshal.com Workaround: Deploy Marshal's workaround described above or explicitly block the ACE file extension. Tested Versions: MailMarshal STMP Server 6.1 on Windows 2003 Server Credits: Research & Advisory: O Aziz Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. About IRM: IRM is a product independent information security consultancy based in the UK, Hong Kong, Spain and Dubai. http://www.irmplc.com
