[Mimedefang] Word Macro warning in subject.

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Thu Feb 11 03:52:34 EST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 9 Feb 2016, System Operations wrote:

Hmm, do you use SpamAssassin.
I thought one could add search strings to ClamAV as well, but cannot find 
any pointers in the internet.

> Slave 1 stderr: Can't call method "parts" on an undefined value at 
> /etc/mail/mimedefang-filter

There is no line number?

> sub filter {
>    my($entity, $fname, $ext, $type) = @_;
>
>    return if message_rejected(); # Avoid unnecessary work
>
>
>    if (contains_office_macros) {
                               ^^ missing ($entity)
like many procedural languages you need to pass argumenents in ()'s

> 	action_notify_administrator("An attachment of type $type, sent by 
> $Sender for $Recip named $fname contains macros.\n");
> 	my $subject = $entity->head->get('Subject',0);
> 	action_change_header('Subject', "[Warning Attachment $fname contains 
> macros (possible virus):] $Subject");
>    }
>
>    return action_accept();
> }
>
>
>
> sub filter_multipart {
>    my($entity, $fname, $ext, $type) = @_;
>
>    return if message_rejected(); # Avoid unnecessary work
>
>    if (contains_office_macros) {
> 	action_notify_administrator("An attachment of type $type, sent by 
> $Sender for $Recip named $fname contains macros.\n");
> 	my $subject = $entity->head->get('Subject',0);
> 	action_change_header('Subject', "[Warning Attachment $fname contains 
> macros (possible virus):] $Subject");
>    }
>
>    return action_accept();
> }
>
>
> ==============================================================================
> # These markers were documented at:
> #http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
> # as of 2015-01-15
> # $entity is a MIME::Entity that's the parsed message
>
> my $marker1 = "\xd0\xcf\x11\xe0";
> my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
>
> sub contains_office_macros
> {
> 	my ($self, $entity) = @_;
             ^^ remove $self,
there is just one argument, also remove any $self->
from the code below.

> 	my @parts = $entity->parts();
> 	if (scalar(@parts) > 0) {
> 		foreach my $part (@parts) {
> 			if ($self->contains_office_macros($part)) {
> 				return 1;
> 			}
> 		}
> 		return 0;
> 	}
> 	my $is_msoffice_extension = 0;
> 	foreach my $attr_name (qw( Content-Disposition.filename 
> Content-Type.name) ) {
> 		my $possible = $entity->head->mime_attr($attr_name);
> 		$possible = decode_mimewords($possible);
> 		if ($possible =~ /\.(doc|docx)$/i) {
> 			$is_msoffice_extension = 1;
> 			last;
> 		}
> 	}
> 	return 0 unless $is_msoffice_extension;
> 	return 0 unless defined($entity->bodyhandle) && 
> defined($entity->bodyhandle->path);
> 	my $fp;
> 	if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
> 		return 0;
> 	}
> 	my $contents;
> 	{
> 		local $/;
> 		$contents = <$fp>;
> 		close($fp);
> 	}

this code pulls the whole part into memory.

> 	if (index($contents, $marker1) > -1 &&
> 	    index($contents, $marker2) > -1) {
> 		return 1;
> 	}
> 	return 0;
> }

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEVAwUBVrxL0lGgR0+MU/4GAQJsGggAjsFY1BY0d7I8d8DWOhxYOzUMKH267Wdz
d4rAmWFKYenM8ucDBFAxS1cqh+t30jdn+bz5EyEW31tHqDLyzLOHOGCsfOBis4Vr
uUTfQ08Tl80eQCbK97hlUN8C1FvJf9ONJZf2wcBKy+T7hrQ+7zjUqaZhnpDHLZba
79A/M9iXll5PLcQJPSV6YgL3lDOfYzuIlP7V6Iq8dyFVzdoqlxjkuww6SjPBHpA9
/sfeMSbYsCPGWu+LxSMeieAUF3UbaOIpSe/cgMutJEPle7XPV9THX8oMcDQucazo
AaEhxArOEDgTAmR/A1ZNaeKehZwlMWYMS13bGb6ntjvhcEUWVs1gTg==
=36Gx
-----END PGP SIGNATURE-----

More information about the MIMEDefang mailing list