Filename.rules.conf - CLSID false positive

Julian Field mailscanner at ecs.soton.ac.uk
Tue Apr 27 14:44:53 IST 2004


There is a Bugtraq article
http://www.securityfocus.com/archive/1/351379
which explains how a CLSID in the middle of a filename can be used to force
execution of a file that appears to be an MPEG. Windows gives the CLSID
precedence over the file extension.

Later articles in the thread argue that it is only dangerous, and not
actually lethal, in the hands of users. Originally I matched the CLSID at
the end of the filename, but changed it later because of this report.

At 14:30 27/04/2004, you wrote:

>Has anyone else encountered any false positives with this filename rule?
>
># Deny filenames ending with CLSID's
>deny    \{[a-hA-H0-9-]{25,}\}   Filename trying to hide its real
>type                           Files containing  CLSID's are trying to
>hide their real type
>
>I have a vendor who sends PDF files that look like:
>
>         138139_{8B5AC3AF-BE17-4A06-BB98-790FA5C00C9B}.pdf
>
>I researched the CLSID vulnerability and it seems that it is only
>effective when tagged at the end of the filename, after the extension.  I
>am considering revising this regex to something like:
>
>\{[a-hA-H0-9-]{25,}\}$
>
>Does anyone see any danger in this change?

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
For further info about MailScanner, please see the Most Asked
Questions at    http://www.mailscanner.biz/maq/     and the archives
at    http://www.jiscmail.ac.uk/lists/mailscanner.html



More information about the MailScanner mailing list