Mark Loveless, aka Simple Nomad, is a researcher and hacker. He frequently speaks at security conferences around the globe, gets quoted in the press, and has a somewhat odd perspective on security in general.

Blast from the Past: Two Bugs, One Email

Blast from the Past: Two Bugs, One Email

This old blog post from a long-ago deleted blog was what this non-deleted blog post was about. I had forgotten this spawned not just one but two CVEs (CVE-2009-1490 and CVE-2009-1491). And an interesting commentary on bug hunting and dealing with vendors in the good old days of the mid 00's.


27Apr2009 - A Tale of Two Bugs

Been a while since I have posted anything. This was "leaked" last week to Hackers for Charity which I encourage everyone to contribute and participate in. And since it had been a while, and I am one to go against current trends (I mean have you seen how I dress?), I should release some 0day for the hell of it. Not one, but two 0days surpressed from the BindView RAZOR days....and I am letting them go now.

The ugliness, the ugliness of a stupid flaw you cannot control, one that will get you cool points but at the same time make your life miserable. Imagine finding a flaw that affects multiple vendors -- major vendors -- and no one wants to do anything to fix it.

You work on it at a company that has a policy that prevents you from releasing the bug info since there is no patch. Release it anyway? Well, work will be pissed off, especially since they partner with one of these major vendors and do not want to piss off said partner. On top of that, it will cause your basic shitstorm among Internet users. And even have a direct input on your inbox with a metric fuckton of spam and scams. Oh that will get it fixed, most certainly, but you will be considered a complete asshole of a prick jerkwad deluxe. You go to CERT, and guess what, they run into the same fingerpointing that you do. It is "the other vendors fault, not ours." And it is 2004 - the dotcom bubble has burst, and you are trying to justify that ridiculously high salary, and all your hacker friends are getting into that whole "responsible disclosure" thing.

Fuck it, BindView got sold off, at the end no one gave a shit about the RAZOR team. And it has been almost five years, plenty of time for vendors to silently patch. Disclosure time.

Discovered by yours truly in mid 2004, this was a gem of a bug. Imagine being able to bypass not only anti-spam and anti-virus products, but in some cases bypass IDS/IPS systems as well. Over a well known and usually open port on the firewall. Sweet. Before we get to the bug, a bit of explanation about the bullshit behind not releasing it.

As you might have guessed, this involves email since anti-spam was mentioned. An email message could be constructed that bypassed normal anti-virus scanning of incoming email. Many vendors were affected, so a couple of the major ones were contacted (if memory serves, since I no longer have the original emails, it was Trend Micro and McAfee, or someone like that). "Yes you are correct" they say, "we can be bypassed this way, however we can do nothing to detect it since our flagship product runs on Exchange and Microsoft will not give up the right API calls we need to update our engine." Same thing for anti-spam.

So Microsoft is contacted. "Not our problem" they say, "we are not going to create additional libraries that use internal API calls that don't exist but could also expose us to having our intellectual property copied." Besides, the vendors apparently had to pay extra for what access to the APIs they currently get, and some were not even paying for those (they reverse engineered around them), so Microsoft had no incentive to write more APIs. The biggest disadvantage? All of these companies are aware of the BindView RAZOR team bug release policy -- no advisory unless the vendor has a patch. So they all blamed each other and all say "we won't patch." Getting CERT involved did not help, they were told the same thing, knowing BindView would not release an advisory. CERT could not release anything independently as they need a vendor or vendors to blame, and they all blamed each other.

Isn't the security industry wonderful?

The bug is ever so simple. Create an email message, stick in a huge X-* header, like X-Testing: VeryLongStringHere. You get the idea. Now end the message before adding a message body. That's the trick. What happens is interesting. This is a completely invalid email message, and the X-Whatever spills into the area in an Outlook client that the message body is displayed. So you send the VeryLongStringHere thing with the EICAR test virus string on the end, no anti-virus is triggered, and you get the EICAR test string clearly visible in the message window. Why? Because the existing (at the time) APIs Microsoft gave the vendors did not allow for scanning of anything other than the body of a message, so if you stick stuff in the headers it is not scanned. The vendors could pay for APIs that allowed for inbound scanning and outbound scanning (some only would choose inbound), but no one had APIs to scan headers. Microsoft would not give them up. The vendors said Microsoft should fix Outlook to not display header info to the end user in the area where the message was, Microsoft said they did not handle invalid email and were following RFCs. Whine, whine, whine.

The main thing was this evil header message, although it actually lead to another bug. The easiest method to create it was to telnet into port 25 on a box running Sendmail and doing the whole MAIL FROM and RCPT TO thing manually, and shoving in a huge X-Header, followed by QUIT. Boom off it went on to its destination, an Exchange server with a waiting Outlook client to view it. The telnet-to-port-25 trick did not work in going directly to Exchange though. Why? More exploring found another bug...

Sendmail had an issue in handling headers, creating the mangled message. A very LARGE header caused a crash. What was the issue? A damned heap overflow. OMGWTF. I had a nice remote AV bypass, but now I had a heap overflow in Sendmail. Both port 25, which is ALWAYS open in the firewall. However I was told by BindView to stop working on the Sendmail bug.

The Sendmail flaw was never pursued to see what all was possible with it, as BindView said we would not publish details on it anyway as it could possibly lead people to figure out how to do the AV bypass thing. It was reported to Sendmail as is, they saw the potential implications and (according to them) did not even see if it was exploitable, they just assumed it was and they fixed it (quickly and without a bunch of crap, Eric and Claus were whom I worked with and they rocked it). Anyone with a bit of rev engineering skills could have figured out what was up, but no one did, or didn't say anything publicly.

As a side note, the Sendmail folk thought that Microsoft should fix handling of the non-RFC compliant messages that were sticking the EICAR test virus into the message body in Outlook, being that Sendmail had tons of patches to correct problems caused by other mail systems, simply because they knew it would make life easier for the sys admins. Wow, what an attitude, caring about the users. This is the main reason I still use Sendmail to this day -- they actually give a shit.

So the main bug in AV was surpressed. And a second bug, a potential remote code execution bug in Sendmail was surpressed as well. The funny part? I was trying to screw up the way Outlook handled the X-Message-Away header, thinking I could get a nice client overflow, and found two other bugs instead.

So there you have it. A tale of two bugs, and a small bit of insight into the politics of bug hunting.


Here are some of the notes from the message I sent CERT during that time. Note that I admitted to CERT I tested against live systems on the Internet:


[thegnome@daemon thegnome]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 daemon.nmrc.org ESMTP Sendmail 8.12.10/8.12.10; Fri, 3 Dec 2004 12:00:59 -06
00
mail from:thegnome@nmrc.org
250 2.1.0 thegnome@nmrc.org... Sender ok
rcpt to:loveless@bindview.com
250 2.1.5 loveless@bindview.com... Recipient ok
data
354 Enter mail, end with "." on a line by itself
X-Testing: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEE
EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
EEEEEEEEEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGG
GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
JJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ123456AAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBB
BBX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

.

250 2.0.0 iB3I0xxp005530 Message accepted for delivery

Obviously no line breaks in the big string above. Also this tidbit:

McAfee Groupshield running on Microsoft Exchange was the only content checker
 I was able to conclusively test. Others were tested remotely, and unless every
 single site I tested remotely was running McAfee Groupshield, other vendors are
 affected.

Yes, I did live testing against real targets on the Internet, although in my defense I was sending the message to places where I knew an admin, and the email was addressed to them. Anyway, a bit more info for you.

The Battery System

The Battery System

Fun Friday: Naming People

Fun Friday: Naming People