Microsoft Word and Excel documents with embedded harmfull objects

Rick Cooper rcooper at dwford.com
Mon Apr 3 19:03:14 IST 2006





> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Adri
> Koppes
> Sent: Monday, April 03, 2006 9:12 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Microsoft Word and Excel documents with embedded harmfull
> objects
>
>
> Recently some users have discovered a new trick to send blocked and
> potentially harmful file through the MailScanner gateway.
> They create an email messages with a Microsoft Word or Excel document
> attachment, which contains an embedded OLE object or package.
> The embedded object can by ANY other file, including executables etc.
> When scanned by MailScanner, the executable and other embedded objects
> are not detected and the message is passed through to the users mailbox!
> Obviously this is not what we would like to happen.
> I have found a little program 'ripOLE' on
> http://freshmeat.net/projects/ripole/, which will extract all embedded
> objects from a Word Document.
> Would it be easy to integrate 'ripOLE' or an equivalent program into
> MailScanner to be called for attachments? If the embedded objects are
> extracted into the normal temp directory, then MailScanner will subject
> them to the same file-name/type restrictions as normal attachments.
> Probably 'ripOLE' only need to be called when the /usr/bin/file command
> has determined the attachment to be some kind of 'Microsoft Office Data'
> file.
>

I looked at this program and it could be called from SafePipe on each
attachment after exploding them, as it's quite fast and will return error
code 102 when a file is not in OLE format and also returns the string "File
'filename' is not OLE2 format". If called on an OLE file without OLE
attachments it returns error code 30 and the string "ripOLE: decoding of
filename resulted in error 30".

The bad thing I see is there is no way to control the output name of the
object. ripole does basic sanitization (removes non-alphanumeric and
low/high order chars but that is about that. There wouldn't be any way to
tell the program a new name to output to as there may be many files embedded
in a single input file.

I suppose you could have it output to a safe subdir under the working dir
and handle anything found there as non alphanumeric (such as "/" but not
".") is removed in the sanitize function and couldn't escape the MS supplied
path name (like /path/../../filename). It would add another layer to the
explode as you would have to explode, ripole, make safe names of files found
in the ripole attachment dir, move them to the current working dir, explode
anything new, etc before scanning. I do believe clamAV catches infected OLE
streams but this could be a good way to send bad things.

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the MailScanner mailing list