July 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Bypassing AOL Mail Virus Scanning with Conflicting Content-Transfer-Encoding Headers

The virus scanner integrated in AOL Mail can be bypassed by using conflicting Content-Transfer-Encoding headers, as described in Dubious MIME - Conflicting Content-Transfer-Encoding Headers.

Proof Of Concept

     From: foo
     To: bar
     Subject: eicar - conflicting content-transfer-encoding
     Mime-Version: 1.0
     Content-Type: multipart/mixed; boundary=foo
     Content-type: application/octet-stream; name="eicar.com"
     Content-Transfer-Encoding: base64
     Content-Transfer-Encoding: quoted-printable

The webmail interface of AOL Mail will use the first Content-Transfer-Encoding header 'base64' for displaying the mail and for downloads. It thus provides access to the attached file 'eicar.com' which contains the Eicar test virus. The virus scanner instead will use the second Content-Transfer-Encoding header 'quoted-printable' and is thus not able to detect the virus (if the headers are switched the mail will be successfully blocked).

Note that it is necessary to put some seemingly wrong newline inside the base64 encoding of the virus. It looks like the virus scanner has heuristics to detect the "common" base64 encoding even if it is not explicitly declared. With adding this newline these heuristics are defeated without affecting the decoding in the webmail interface.

Responsible Disclosure - failed

I've tried to report the issue to AOL but was not successful. Since I did not find any contact specifically for reporting security issues I've used their generic contact formular in 06/2015 and pointing out that I had a security problem to report (without all the details). More than a month later I got some mail back which only contained the standard security tips but did not give me a contact where I could report the security issue:

   Date: Mon, 20 Jul 2015 13:06:41 +0000 (GMT)
   From: "aoldefragen@aol.com" <aoldefragen@aol.com>
   Subject: DE: Contact Request    [ ref:_00DF06aAH._500F0bsRQP:ref ]
   wir empfehlen Ihnen, die folgenden Sicherheitshinweise zu beachten, um Ihren
   Computer und Ihre pers├Ânlichen Daten zu sch├╝tzen: -