[Mimedefang] Possible new filename exploit?
Kelson Vibber
kelson at speed.net
Mon Oct 7 20:24:01 EDT 2002
I was manually clearing a message from a user's mailbox when I discovered
an interesting MIME attachment. Now, this user had apparently been
infected with Bugbear earlier, which made me wonder how. Anything that
trips filter_bad_filename is defanged, and anything that trips it AND
claims to be audio/x-midi or audio/x-wav is quarantined.
Anyway, her transfer was bogging down early in the huge number of messages
that had piled up while she dealt with the virus, and the message it was
stopping at had the following MIME part headers:
Content-Type: audio/x-midi;
name=SURVEY-ap stat;sportsvsgpa.doc.exe
Content-Transfer-Encoding: base64
Content-ID: <IX1I8Vy336Lk2>
Admittedly the filename is *very* bogus - the fake extension, the space
without quotes, and the semicolon in the middle - plus the bogus mime-type
and, to top it off, an IFrame in an HTML part referencing the supposed midi
file.
Now regardless of what virus this was, it shouldn't have still been in the
message, because it should have tripped filter_bad_filename and the test
for audio/x-midi content type, and been quarantined instead. (And yes, the
X-Scanned-By header appears on this message.)
I'm guessing what happened is that MD read the name as "SURVEY-ap stat"
which didn't trip filter_bad_filename. I'll probably alter the filter to
allow audio/x-midi ONLY with a .mid or .midi extension, rather than to
block it only if the extension is bad.
Still, if MD doesn't recognize this sort of bogus filename, it'll probably
need to.
I'm using MD 2.21. I've updated filter_bad_filename from the latest
example filter, although I've removed .url from the list, and I haven't
made any changes to mimedefang.pl.
Kelson Vibber
SpeedGate Communications, Technical Staff
kelson at speed.net Phone: (949) 341-0800
http://www.speed.net/ FAX: (949) 341-0900
More information about the MIMEDefang
mailing list