[Mimedefang] [Bug 5225] New: non-standard base64 encoding evades some scanners (fwd)

Kenneth Porter shiva at sewingwitch.com
Thu Dec 7 18:23:04 EST 2006 

I just saw this on the SA-devel list. Note that ClamAV 0.88.6 is listed as 
vulnerable.

<http://www.quantenblog.net/security/virus-scanner-bypass>

------------ Forwarded Message ------------
Date: Thursday, December 07, 2006 7:01 AM -0800
From: bugzilla-daemon at issues.apache.org
To: dev at spamassassin.apache.org
Subject: [Bug 5225] New: non-standard base64 encoding evades some scanners

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5225

           Summary: non-standard base64 encoding evades some scanners
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Libraries
        AssignedTo: dev at spamassassin.apache.org
        ReportedBy: jm at jmason.org


SA -- at least 3.2.0 trunk -- isn't actually vulnerable to this; I'm just
using bugzilla as a convenient way to store details! ;)

http://www.quantenblog.net/security/virus-scanner-bypass

'Base64 encoding for MIME is defined in RFC 2045, which lists such an
alphabet and clearly states: All line breaks or other characters not found
in [the alphabet] must be ignored by decoding software. So it shouldn't
make any difference if we insert some random characters not in the alphabet
into a Base64 encoded version of our good old EICAR string, right? Wrong.
Some virus scanners will happily pass viruses once they come in an unusual
but still RFC-compliant encoding. This is even more astonishing given such
attacks have already been discussed before.

Things start to get really nasty if some levels of multipart/mixed content
are wrapped around the harmful attachment. Then, only one of the six tested
virus scanners was able to detect the EICAR file. A simple perl script is
provided as a proof of concept. You may have to play with the $loop
variable, which controls the number of multipart nestings, depending on
your virus scanner and mail server. Note that your mail client may not be
able to properly decode the attachment as well (e.g. Gnus doesn't, but Mutt
or Outlook will do the job).'



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------- End Forwarded Message ----------

More information about the MIMEDefang mailing list