[Mimedefang] JPEG exploit checking in mimedefang-filter
Cormack, Ken
Ken.Cormack at roadway.com
Tue Sep 28 10:31:17 EDT 2004
What I REALLY like about this is that it performs a straight-forward "are
you what you say you are?" test, rather than the more nebulous and
error-prone "are you not what you pretend to be?"
Thanks for posting this, Tomasz!
Ken
-----Original Message-----
From: Tomasz Ostrowski [mailto:tometzky at batory.org.pl]
Sent: Tuesday, September 28, 2004 4:56 AM
To: mimedefang at lists.roaringpenguin.com
Subject: [Mimedefang] JPEG exploit checking in mimedefang-filter
I have written a quick and dirty checking for corrupt jpeg files in
mimedefang-filter. It uses program "djpeg", which should be in most
Linux and Unices distributions, to convert the file to bitmap writing
in /dev/null. It lets the file in, if it manages to successfully convert
it, or rejects it otherwise.
It should catch the latest JPEG virus. At least it catches the sample
I have found here:
http://www.easynews.com/virus.html
###################################################################
# New function: check for corrupted JPEG files
sub filter_corrupt_jpeg ($) {
my($entity) = @_;
if (re_match($entity, '\.jp(e?)g$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( "djpeg -fast -dither none -grayscale
-scale 1/8 -outfile /dev/null $path" );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
}
}
}
return 0;
}
###################################################################
###################################################################
# This should go in filter() function
if (filter_corrupt_jpeg($entity)) {
md_graphdefang_log('corrupt_jpeg', $fname, $type);
action_bounce("Access denied. Corrupt file $fname not allowed.",
"554", "5.7.1");
return action_discard();
}
###################################################################
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list