[Mimedefang] exe in defective zip attachments gettingthrough mimedefang
Kevin A. McGrail
kmcgrail at pccc.com
Thu Jan 14 12:33:28 EST 2010
Actually this topic was covered a while back when there were RAR files
masquerading as zip files.
Here's a function I call from filter_bad_filename. I've modified my filter
to handle a return of 1 as a bad file and 2 as a really bad file which
outright blocks the email.
sub filter_bad_filename ($) {
....
# Look inside ZIP files
if (re_match($entity, '\.zip$') and $Features{"Archive::Zip"}) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
#CORRUPTED ZIPS ARE DANGEROUS - RETURN A REALLY BAD FILENAME
return 2 if (&check_for_corrupt_zip($path,
$entity->head->recommended_filename()));
return re_match_in_zip_directory($path, $re);
}
}
}
return 0;
}
sub check_for_corrupt_zip {
my ($path, $recommended_filename) = @_;
my ($filehandle, $header);
#OPEN THE FILE, GRAB THE HEADER AND TEST
$filehandle = new IO::File("< $path");
if (defined $filehandle) {
read($filehandle,$header,4);
close ($filehandle);
#IS IT A RAR FILE DISGUISED AS A ZIP?
if ($header =~ /^Rar!/i) {
md_syslog('warning', "$QueueID: Discarding because of RAR file
disguised as ZIP File: $recommended_filename");
return 1;
}
#IS IT A ZIP FILE WITH A VALID MAGICK NUMBER? - IDEA From Tomasz
Ostrowski
if ($header !~ /^PK\003\004/i) {
md_syslog('warning', "$QueueID: ZIP file has an invalid ZIP Magic
Number: $recommended_filename");
return 1;
}
}
return 0;
}
----- Original Message -----
From: "Dave O'Neill" <dmo at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, January 14, 2010 12:09 PM
Subject: Re: [Mimedefang] exe in defective zip attachments gettingthrough
mimedefang
> On Thu, Jan 14, 2010 at 10:54:14AM -0600, Cliff Hayes wrote:
>> if Archive::Zip doesn't return an AZ_OK then mimedefang lets the
>> attachment
>> through. From what I could find out, if Archive::Zip doesn't return
>> AZ_OK
>> then there is a problem with the zip file. I'd rather block defective
>> zip
>> files then let them through. In the code below, I substituted "return
>> 0;"
>> with "else { return 1; }" and that solved my problem. Now good zips
>> still
>> go through, zips with exe's get replaced with warning, and defective
>> (hacked
>> I'm assuming) get replaced with warnings too. I'm surprised that
>> standard
>> procedure is to let defective zips through. Or am I understanding this
>> wrong?
>
> What value is ->read() returning? It might be nice to check the status
> value and determine if it's failing due to a corrupt zip file, or simply
> due to a zip format that Archive::Zip doesn't recognize.
>
> If you can grab a sample of the zip in question and send it to me offlist,
> I'll take a look.
>
> Cheers,
> Dave
> --
> Dave O'Neill <dmo at roaringpenguin.com> Roaring Penguin Software Inc.
> +1 (613) 231-6599 http://www.roaringpenguin.com/
> For CanIt technical support, please mail: support at roaringpenguin.com
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
>
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
More information about the MIMEDefang
mailing list