Re: [Exim] Executable Content Filter not matching when it sh…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMHugh Sasse Staff Elec Eng at <-
MPatrice Fournier at ->
Delete this message
Reply to this message
Author: Hugh Sasse Staff Elec Eng
Date:  
To: EXIM users list
Subject: Re: [Exim] Executable Content Filter not matching when it should?
On Wed, 13 Mar 2002, Chris Edwards wrote:

> On Wed, 13 Mar 2002, Hugh Sasse Staff Elec Eng wrote:
>
> | Using the Exim system_filter (Windows executable content filter) Version
> | 0.17, the "Content: Disposition...\S+\.exe" rule for multipart mime does
> | not seem to be firing. As far as I can see it ought to. I am using
> | Exim 3.32, solaris.
> |
> | The message which did get delivered to me is now at:
> | http://www.eng.cse.dmu.ac.uk/~hgs/e-mail/test_multipart_exe
>
        [...]

> The social engineering text body part contains some NULL charaters. In
> current versions of exim, the $message_body variable stops at the first
> NULL, causing the exe filter to miss the attachment.

Yes, I can see the nulls in there with vim.
>
> Philip has posted a patch for this - please see thread "NULL / filter"
> earlier this week.

I have applied the patch to the exim 3.35 sources.
(It took a few goes to get to :
patch -p 1 < patchfile
but it applied successfully, with the patch in the same dir as README.
I have built and installed the newer exim. 

The trouble is:
brains# ../bin/exim -bF system_filter.exim < test_multipart_exe
Sender taken from "From" line
Sender    = Blackcha@???
Recipient = root@brains
Testing Exim filter file system_filter.exim


Filter processing ended:
Filtering did not set up a significant delivery.
Normal delivery will occur.
brains#

so in my case it still has not blocked it.

The relevant chunk (ignoring all the address expansion stuff) of the:
exim -d11 -bF system_filter.exim < test_multipart_exe
is:

>>Final headers:
P Received: from root by brains.eng.cse.dmu.ac.uk with local (Exim 3.35 #1)
    id 16lDfx-0000oV-00; Wed, 13 Mar 2002 18:40:37 +0000
* Return-path: <Blackcha@???>
* Envelope-to: hgs@???
* Delivery-date: Wed, 13 Mar 2002 11:00:58 +0000
P Received: from grieg.dmu.ac.uk
    ([146.227.1.5] helo=dmu.ac.uk ident=root)
    by brains.eng.cse.dmu.ac.uk with esmtp (Exim 3.32 #1)
    id 16l6Qq-0006ob-01
    for hgs@???; Wed, 13 Mar 2002 10:56:32 +0000
P Received: from pimout2-int.prodigy.net (pimout2-ext.prodigy.net [207.115.63.101])
    by dmu.ac.uk (8.11.5/8.11.5) with ESMTP id g2D3SgW03675
    for <hgs@???>; Wed, 13 Mar 2002 03:28:42 GMT
P Received: from pfuckie (A040-0744.PHL2.splitrock.net [209.255.215.236])
    by pimout2-int.prodigy.net (8.11.0/8.11.0) with SMTP id g2D3NOH58104;
    Tue, 12 Mar 2002 22:23:55 -0500
  Date: Tue, 12 Mar 2002 22:23:55 -0500
I Message-Id: <200203130323.g2D3NOH58104@???>
* From: "Microsoft Corporation Security Center" <rdquest12@???>
F From: "Microsoft Corporation Security Center" <rdquest12@???>
* To: "Microsoft Customer" <'customer@???'>
T To: "Microsoft Customer" <'customer@???'>
  Subject: Internet Security Update
* Reply-To: <rdquest12@???>
R Reply-To: <rdquest12@???>
  MIME-Version: 1.0
  Content-Type: multipart/mixed;
    boundary="NextPart_000235"
  Status: RO
  X-Status:
  X-Keywords:
* X-rewrote-sender: Blackcha@???


search_tidyup called
Sender    = Blackcha@???
Recipient = root@brains
Testing Exim filter file system_filter.exim


Filter: start of processing
Condition is false: not first_delivery
Condition is false: ${length_80:$header_date:} is not $header_date:
Condition is false: $header_from: contains @sexyfun.net
Sub-condition is false: error_message
Condition is false: error_message and $header_from: contains Mailer-Daemon@
Match expanded arguments:
  Subject = multipart/mixed;
    boundary="NextPart_000235"
  Pattern = (?:file)?name=("[^"]+\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")
Condition is false: $header_content-type: matches (?:file)?name=("[^"]+\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")
Match expanded arguments:
  Subject = multipart/mixed;
    boundary="NextPart_000235"
  Pattern = (?:file)?name=(\S+\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))
Condition is false: $header_content-type: matches (?:file)?name=(\\S+\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))
Match expanded arguments:
  Subject = This is a multi-part message in MIME format. You should read this with client which  supported MIME standard.  --NextPart_000235 Content-Type: text/plain;     charset="us-ascii" Content-Transfer-Encoding: quoted-printable
  Pattern = (?:Content-(?:Type:(?>\s*)[\w-]+/[\w-]+|Disposition:(?>\s*)attachment);(?>\s*)(?:file)?name=|begin(?>\s+)[0-7]{3,4}(?>\s+))("[^"]+\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")[\s;]
Condition is false: $message_body matches (?:Content-(?:Type:(?>\\s*)[\\w-]+/[\\w-]+|Disposition:(?>\\s*)attachment);(?>\\s*)(?:file)?name=|begin(?>\\s+)[0-7]{3,4}(?>\\s+))("[^"]+\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc])")[\\s;]
Match expanded arguments:
  Subject = This is a multi-part message in MIME format. You should read this with client which  supported MIME standard.  --NextPart_000235 Content-Type: text/plain;     charset="us-ascii" Content-Transfer-Encoding: quoted-printable
  Pattern = (?:Content-(?:Type:(?>\s*)[\w-]+/[\w-]+|Disposition:(?>\s*)attachment);(?>\s*)(?:file)?name=|begin(?>\s+)[0-7]{3,4}(?>\s+))(\S+\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\s;]
Condition is false: $message_body matches (?:Content-(?:Type:(?>\\s*)[\\w-]+/[\\w-]+|Disposition:(?>\\s*)attachment);(?>\\s*)(?:file)?name=|begin(?>\\s+)[0-7]{3,4}(?>\\s+))(\\S+\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]))[\\s;]
Filter processing ended:
  Filtering did not set up a significant delivery.
  Normal delivery will occur.
Filter: end of processing
search_tidyup called


So It seems to be tripping on the double nulls before
"Microsoft Customer" 

Yes, my exim-3.35/src/expand.c has got
        if (body[--len] == '\n' || body[len] == 0) body[len] = ' ';
in the right place, line 577, so I don't think I botched patching it..


Now I'm puzzled. :-)
        Hugh





This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] Filters[Exim] Multiple local_part_suffix fr one director->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)