Mailscanner dies

Julian Field mailscanner at ecs.soton.ac.uk
Tue Oct 29 10:27:37 GMT 2002 

Ouch!

Well done for spotting this one. It affects all virus scanning engines, and
both Version 3 and Version 4.

The patch for version 4 is this:

diff -Naur
/root/unstable/mailscanner/mailscanner/bin/MailScanner/Message.pm Message.pm
--- /root/unstable/mailscanner/mailscanner/bin/MailScanner/Message.pm   Wed
Oct 23 21:27:17 2002
+++ Message.pm  Tue Oct 29 10:37:14 2002
@@ -1836,7 +1836,8 @@

    # Construct all the attachments
    foreach $attachment (@files) {
-    $top->attach(Path        => "$attachment",
+    # Added "./" to start of next line to avoid potential DoS attack
+    $top->attach(Path        => "./$attachment",
                   Type        => "application/octet-stream",
                   Encoding    => "base64",
                   Disposition => "attachment");

The patch for version 3 is this:

--- disinfect.pl.old    Tue Oct 29 10:38:50 2002
+++ disinfect.pl        Tue Oct 29 10:39:11 2002
@@ -144,7 +144,8 @@
      $top->attach(Data=>$message);

      foreach $attachment (@{$CleanedUp{"$id"}}) {
-      $top->attach(Path        => "$attachment",
+      # Added "./" to next line to avoid possible DoS attach
+      $top->attach(Path        => "./$attachment",
                     Type        => "application/octet-stream",
                     Encoding    => "base64",
                     Disposition => "attachment");

I will produce new versions of both V3 and V4 very soon.

At 08:54 29/10/2002, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hello *,
>
>MailScanner-4.03-1, when  it meet a vired attach named with a name starting
>with a space, it dies.
>The same behaviour there was with version 3.
>so I thing this may be a possible Dos.
>
>mirko
>
>
>
>Oct 29 07:28:08 aurora MailScanner[14250]: MailScanner
>Oct 29 07:28:08 aurora MailScanner[14250]: MailScanner E-Mail Virus Scanner
>version 4.03-1 starting...
>Oct 29 07:28:08 aurora MailScanner[14250]: Using locktype = flock
>Oct 29 09:28:09 aurora sendmail[14252]: g9T8S9L14252:
>from=<mirko at aurora.lorenzo.com>, size=328245, class=0, nrcpts=1,
>msgid=<200210290828.g9T8S9L14252 at aurora.lorenzo.com>, proto=SMTP, daemon=MTA,
>relay=[192.168.36.81]
>Oct 29 07:28:13 aurora MailScanner[14250]: New Batch: Scanning 1 messages,
>328709 bytes
>Oct 29 07:28:13 aurora MailScanner[14250]: Virus and Content Scanning:
>Starting
>Oct 29 07:28:14 aurora MailScanner[14250]: /g9T8S9L14252/ corponew.doc
>Found the W97M/Thus.gen virus !!!
>Oct 29 07:28:14 aurora MailScanner[14250]: Virus Scanning: mcafee found 1
>infections
>Oct 29 07:28:14 aurora MailScanner[14250]: Virus Scanning: Found 1 viruses
>Oct 29 07:28:14 aurora MailScanner[14250]: Saved infected " corponew.doc" to
>/var/spool/MailScanner/quarantine/20021029/g9T8S9L14252
>Oct 29 07:28:14 aurora MailScanner[14250]: Cleaned: Delivered 1 cleaned
>messages
>Oct 29 09:28:14 aurora sendmail[14259]: g9T8SEk14259: from=<>, size=620,
>class=0, nrcpts=1, msgid=<200210290828.g9T8SEk14259 at aurora.lorenzo.com>,
>relay=root at localhost
>Oct 29 09:28:14 aurora sendmail[14258]: g9T8S9L14252:
>to=<mirko at aurora.lorenzo.com>, ctladdr=<mirko at aurora.lorenzo.com> (500/500),
>delay=00:00:05, xdelay=00:00:00, mailer=local, pri=448245, dsn=2.0.0,
>stat=Sent
>Oct 29 07:28:14 aurora MailScanner[14250]: Sender Warnings: Delivered 1
>warnings to virus senders
>Oct 29 09:28:14 aurora sendmail[14266]: g9T8SE314266: from=postmaster,
>size=443, class=0, nrcpts=1,
>msgid=<200210290828.g9T8SE314266 at aurora.lorenzo.com>, relay=root at localhost
>Oct 29 09:28:14 aurora sendmail[14264]: g9T8SEk14259:
>to=mirko at aurora.lorenzo.com, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=30620, dsn=2.0.0, stat=Sent
>Oct 29 07:28:14 aurora MailScanner[14250]: Notices: Warned about 1 messages
>Oct 29 07:28:14 aurora MailScanner[14250]: Disinfection: Attempting to
>disinfect 1 messages
>Oct 29 09:28:14 aurora sendmail[14269]: g9T8SE314266: to=root,
>delay=00:00:00,
>xdelay=00:00:00, mailer=local, pri=30443, dsn=2.0.0, stat=Sent
>read-open  corponew.doc: No such file or directory at
>/usr/lib/perl5/site_perl/5.6.1/MIME/Body.pm line 417.
>Oct 29 07:28:15 aurora MailScanner[14250]: Disinfection: Rescan found only 0
>viruses
>Oct 29 09:28:16 aurora sendmail[14273]: g9T8SG914273: from=postmaster,
>size=916, class=0, nrcpts=1,
>msgid=<200210290828.g9T8SG914273 at aurora.lorenzo.com>, relay=root at localhost
>Oct 29 09:28:16 aurora sendmail[14276]: g9T8SG914273:
>to=mirko at aurora.lorenzo.com, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=30916, dsn=2.0.0, stat=Sent
>Oct 29 07:28:18 aurora MailScanner[14279]: MailScanner
>Oct 29 07:28:18 aurora MailScanner[14279]: MailScanner E-Mail Virus Scanner
>version 4.03-1 starting...
>Oct 29 07:28:18 aurora MailScanner[14279]: Using locktype = flock
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE9vkzVmXvUZ7obFPgRAgBPAJ4tDBpKtoAVmVIjKGWSwD8NlBYBagCfQSq3
>tgfwcu3xz84csolW4obhQk4=
>=EmDb
>-----END PGP SIGNATURE-----

--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20021029/d2d6f388/attachment.html

More information about the MailScanner mailing list