Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 019

MailMarshal 6.1 SMTP MTA Content Filter Bypass

Vulnerability Type / Importance: Active Content Filter Bypass/ High

Problem Discovered: 24 February 2006
Vendor Contacted: 24 February 2006
Advisory Published: 5 June 2006

Abstract:
Marshal MailMarshal SMTP Server is a popular corporate SMTP e-mail and spam filter application available on the Microsoft Windows Server platform.

Description:
An active content filter bypass condition exists in Mail Marshal's handling of ACE archives.

Technical Details:
MailMarshal 6.1 SMTP Server does not unpack and analyse the content of ACE archives, making it possible to circumvent any active content filter by default. For example, by compressing an executable file within an ACE archive it is possible bypass the executable blocking content filters. In short, any file that is blocked by a content filter can still be successfully sent to a recipient (internal or external) from any source, simply by compressing the file within an ACE archive.

Vendor & Patch Information:
Marshal has stated that this is not a vulnerability within the product and as such, no patches are available. However, Marshal has issued the following workaround for the issue:

"Obtaining the external ACE unpacking utility":

1.)download the following from WinACE: http://www.winace.com/files/ace26.exe

2.)double click ace26.exe, and enter "Y" in the command prompt that opens to extract its contents

3.)locate "unace32.exe" in the extracted files.

4.)place "unace32.exe" in the MailMarshal installation directory on EACH NODE in the array if they have multiples
(default: C:Program FilesNetIQMailMarshal)

Enabling the Unpacker to extract ACE contents:

1.)open regedit on the Array Manager system, and navigate to HKEY_LOCAL_MACHINESoftwareNetIQMailMarshal

2.)make note of whether the "Default" key is solely named "Default" or if it is named "Default(1)"

3.)download the attached registry file to the system where the Array Manager resides

4.)if the key noted in step 2 is "Default(1)", make this change accordingly within the attached registry file

5.)rename the attached file from "ACEunpack.rename" to "ACEUnpack.reg"

6.)double click the newly created REG file to apply the changes to the registry

7.)commit configuration changes, and restart the MMController service on each node of the array (thus restarting all dependent services as well, most importantly the MMEngine)"

http://www.marshal.com

Workaround:
Deploy Marshal's workaround described above or explicitly block the ACE file extension.

Tested Versions:
MailMarshal STMP Server 6.1 on Windows 2003 Server

Credits:
Research & Advisory: O Aziz

Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.