------------------------------------------------------------------
- EXPL-A-2003-001 exploitlabs.com Advisory 001
------------------------------------------------------------------

     -=- Antigen 7.0 Path Disclosure -=-


Product:
--------

Antigen for Exchange

Sybari Software
516-630-8500
Web: http://www.sybari.com
Price: $4995 (to protect 250 users)
System Requirements:
Windows NT / XP / 2000
Microsoft Exchange Server 5.


Prodict Info:
-------------

Antigen for Exchange
http://www.sybari.com/products/antigen_exchange.asp



Affected Versions:
------------------

All  to current 7.0 SP1

Issue:
------

 Upon discovery of a suspected email viri or attatchment, 
Antigen sends a return email to the original senders email.
The body of the message contains the installed patch of the
Antigen Product. Further it appears the Antigen discards mails
not genuinly infected, but searches only "keywords", physically
deleting many non-viral messages and attatchments. 


Samples:
--------
1) from return of a NON infected mail on Full Disclosure...

Antigen for Exchange found Unknown infected with VIRUS= JS/Kak@ (Norman) worm.
The message is currently Purged.  The message, "[Full-Disclosure] MSN search spoof", was
sent from morning_wood  and was discovered in SMTP Messages\Inbound
located at Wharton School/Student Mail/COURIER1.

2) from a google search of "Antigen for Exchange found" ... 

Antigen for Exchange found Unknown infected with VIRUS= HTML.MimeExploit.Klez 
(CA(Vet),Kaspersky) worm.
The message is currently Purged.  The message, "Hi,the Garden of Eden", was
sent from commit-grub  and was discovered in SMTP Messages\Inbound And Outbound
located at JN-MAIL/First Administrative Group/JN-SVR002.



Vendor Fix:
-----------

No fix on 0day

Vendor Contact:
---------------

Concurent with this advisory.




Credits:
--------

Donnie Werner
http://exploitlabs.com
morning_wood@exploitlabs.com