Re: [exim] caution to those blocking files by extension

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Dennis Davis
Fecha:  
A: Brent Clark
Cc: exim-users
Asunto: Re: [exim] caution to those blocking files by extension
On Fri, 3 Nov 2006, Brent Clark wrote:

> From: Brent Clark <bclark@???>
> To: exim-users@???
> Date: Fri, 03 Nov 2006 15:34:15 +0200
> Subject: [exim] caution to those blocking files by extension
>
> I just found a hole / bug in my acl for file extension handling.
>
> This is my current ACL
>
> # File extension filtering.
> deny   set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
> message  = Disallowed file extension
> log_message     = REJECTED ATTACHMENT ($acl_m1) (rcpt to: $recipients)

>
> condition       = ${if match{$acl_m1}{\N^(avi|asf|ade|adp|asx|asp|arj|adep|asd|ace|arc|aspx|atom|adp|au|\


...

> Following this I have this
>
> warn set acl_m1 = ${extract{-1}{.}{${lc:$mime_filename}}}
> !hosts      = 192.168.111.0/24 :
> log_message     = FOUND THIS ATTACHMENT ($acl_m1) (rcpt to: $recipients)
> condition = ${if def:acl_m1 }

>
> and funny enough, I saw this
>
> 2006-11-03 14:14:57 1Gfxwa-0002eB-6i H=bzq-88-153-38-130.red.bezeqint.net (levin-35s2tp15l) [88.153.38.130] Warning: FOUND THIS ATTACHMENT (         exe) (rcpt to: myuser@mydomain)

>
> as opposed to a line like this
>
> 2006-11-03 15:13:26 1Gfyjb-0002tc-MN H=orion.smartsurv.com [196.23.50.131] Warning: FOUND THIS ATTACHMENT (jpg) (rcpt to: myotheruser@mydomain)
>
> I did this as a test to see what type of file extension am I
> passing / allowing. So what this means is that the .exe got past
> the first ACL.
>
> So this is just a word of caution to those out there using / doing
> the same method as I.


Virus writers can be quit deviant at times. They'll play around
with filenames to fool the Microsoft users. For example, this
morning I saw:

Content-Type: APPLICATION/OCTET-STREAM; name="picture8968..bmp.         exe"
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="picture8968..bmp.         exe"


in a copy of Worm.Stration.NM (ClamAV name).

You may need to adjust your ACLs etc to take account of possible
leading/trailing whitespace in the extension you find.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@???               Phone: +44 1225 386101