1、#BHAS BlackHatEventsInbox Invasion:Exploiting MIME Ambiguities to Evade Email Attachment DetectorsSpeaker:Jiahe ZhangContributors:Jianjun Chen,Qi Wang,Hangyu Zhang,Shengqiang Li,Chuhan Wang,Jianwei Zhuge,Haixin Duan#BHAS BlackHatEventsAbout Me Jiahe Zhang 2ndyear Ph.D.Student at NISL Lab,Tsinghua Un
2、iversity Research Focus:Network Protocol Security,Internet Infrastructure Measurement,Email Security Credited by Apple,Google,Tencent,etc.#BHAS BlackHatEventsTalk Roadmap Email Gateway Bypass:Malware-level vs.Protocol-level How do we discover Protocol-level evasion cases?How well do real-world produ
3、cts handle such bypass?Vulnerability Categories&Case Demonstration#BHAS BlackHatEventsIntroduction Email Remains a Top Attack Vector Main Countermeasures:Email Gateway&Content Detectorhttps:/ Work Well?#BHAS BlackHatEventsIntroduction Malware-level Detection Bypass Methods:Obfuscation/Encryption/Def
4、ormation/Packing Exploitation:Defects of Detectors Manipulation:Malware-level OperationsPassDetector:fails to scanthe packed virusEmail ClientFrom:AttackerTo:VictimMIME-Version:1.0Subject:subjectContent-Type:application/octet-streamContent-Disposition:attachment;filename=attPacked-Virus-ContentAttac
5、ker Scanning.Traditional detection bypass:Malware-level operations#BHAS BlackHatEventsIntroductionProtocol-level Detection Bypass Methods:Constructing Malformed Messages Exploitation:Parsing ambiguities between detectors&clients.etc Manipulation:Protocol-level/Email structure-level operationsPassDet
6、ector:fails to scanthe packed virusEmail ClientFrom:AttackerTo:VictimMIME-Version:1.0Subject:subjectContent-Type:application/octet-streamContent-Disposition:attachment;filename=attPacked-Virus-ContentAttacker Scanning.Traditional detection bypass:Malware-level operationsPassDetector:multipartbody no