On Fri, 3 Nov 2006, Brent Clark wrote:
> From: Brent Clark <bclark@???>
> To: exim-users@???
> Date: Fri, 03 Nov 2006 15:34:15 +0200
> Subject: [exim] caution to those blocking files by extension
>
> I just found a hole / bug in my acl for file extension handling.
>
> This is my current ACL
>
> # File extension filtering.
> deny set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
> message = Disallowed file extension
> log_message = REJECTED ATTACHMENT ($acl_m1) (rcpt to: $recipients)
>
> condition = ${if match{$acl_m1}{\N^(avi|asf|ade|adp|asx|asp|arj|adep|asd|ace|arc|aspx|atom|adp|au|\
...
> Following this I have this
>
> warn set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
> !hosts = 192.168.111.0/24 :
> log_message = FOUND THIS ATTACHMENT ($acl_m1) (rcpt to: $recipients)
> condition = ${if def:acl_m1 }
>
> and funny enough, I saw this
>
> 2006-11-03 14:14:57 1Gfxwa-0002eB-6i H=bzq-88-153-38-130.red.bezeqint.net (levin-35s2tp15l) [88.153.38.130] Warning: FOUND THIS ATTACHMENT ( exe) (rcpt to: myuser@mydomain)
>
> as opposed to a line like this
>
> 2006-11-03 15:13:26 1Gfyjb-0002tc-MN H=orion.smartsurv.com [196.23.50.131] Warning: FOUND THIS ATTACHMENT (jpg) (rcpt to: myotheruser@mydomain)
>
> I did this as a test to see what type of file extension am I
> passing / allowing. So what this means is that the .exe got past
> the first ACL.
>
> So this is just a word of caution to those out there using / doing
> the same method as I.
Virus writers can be quit deviant at times. They'll play around
with filenames to fool the Microsoft users. For example, this
morning I saw:
Content-Type: APPLICATION/OCTET-STREAM; name="picture8968..bmp. exe"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="picture8968..bmp. exe"
in a copy of Worm.Stration.NM (ClamAV name).
You may need to adjust your ACLs etc to take account of possible
leading/trailing whitespace in the extension you find.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@??? Phone: +44 1225 386101