[7491] in bugtraq
Re: Long attachment filename exploits: a procmail filter
daemon@ATHENA.MIT.EDU (John D. Hardin)
Thu Jul 30 14:06:58 1998
Date: Wed, 29 Jul 1998 20:05:45 -0700
Reply-To: "John D. Hardin" <jhardin@WOLFENET.COM>
From: "John D. Hardin" <jhardin@WOLFENET.COM>
X-To: Brett Glass <brett@lariat.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199807300237.UAA21468@lariat.lariat.org>
On Wed, 29 Jul 1998, Brett Glass wrote:
> This recipe is a great start! However, there are a few potential improvements.
Fire away!
> First, it doesn't recognize tabs as whitespace or handle optional
> whitespace in a few places where MIME would allow it.
I fixed that - thanks for pointing it out. Please grab the
html-trap.procmail snippet again and take a look.
> Second, it invokes Perl on any message with a MIME attachment, which
> could slow the mail server greatly. It would be preferable to detect the
> exploit in procmail and only invoke Perl to "cleanse" the message if
> that were necessary.
Not so. It uses procmail REs to detect long filenames and executable
filenames, and only calls perl to sanitiza them if they are found.
> Alternatively, it could redirect the mail to the postmaster so he or she
> would know that users were under attack.
Hmm. That would be simple a matter of adding
:0c
! postmaster
to the block that calls perl - before (unsanitized) or after (sanitized)
perl cleans the message would be a judgement call.
Alternatively you could send the entire message as an attachment - that
might be better. Could someone give me an action that will take the
message being processed and mail it as a MIME attachment to postmaster?
I'm not very familiar with formail.
> Finally, there are other possible exploits, like a very long content
> type, that might also lead to buffer oveflows in mail clients. These
> should be checked too.
If you can give me an example, I'll be glad to add a trap for it. I'll
take a shot at it without a sample, but it might not be too good.
> Can people suggest improvements to John's recipes that solve these
> problems? Greg Sutter and Chris Lindsey have both come up with patterns
> that do more of the matching within procmail, but they still need a
> little refinement.
>
> In any event, this is a great start. It's fantastic that someone who had
> most of the needed recipe already written was on the list.... This is
> what's great about the Net!
...and that I also lurk on bugtraq and ntbugtraq... :)
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
88 days until Daylight Savings Time ends
