Recursive archive attachment expansion and filetype/name checks

Julian Field MailScanner at ecs.soton.ac.uk
Tue Apr 25 13:51:06 IST 2006 

On 25 Apr 2006, at 11:52, Harris S wrote:

> In-Reply- 
> To=4fac50550604241729u16efcb61r4b3773c8778db3e3 at mail.gmail.com
>
> Hello Julian,
>
> Thank you for your prompt reply :-)
>
> However, I think I have nailed it down (although I would appreciate it
> if you told me I did a mistake going into such lengths.... I hope not
> :-S )
>
>
> The MS code does not deal yet with gz (or tgz..) and it does not
> effectively identify the file as an archive (Idea - At the expense of
> compatibility with W32 platforms, could the 'file' system be used to
> identify archives instead of the small $buffer code snippet?)

It's just that, as it has to do it for every file (in every archive  
or not) in every message, it will slow things down quite a bit. And a  
lot of people don't do file content (using the "file" command)  
checking at all, so I can't guarantee the existence of the file  
command setting.

I have also not done it for tar.gz or tgz as no viruses or malware  
exist that use this. And it is only one layer of defence among many.  
In my experience, mail that *only* triggers on the tar.gz or tgz  
contents doesn't exist. Any malware of this sort triggers loads of  
other traps too.

But I completely agree with you that it is not perfect in this respect.

> It turns out that the Archive::Zip module will not expand gz archives
> anyway, so even if the system was able to identify it, it would not be
> able to expand it.
> (Archive::Extract, I did not particularly like it, but what about
> using as a last resort?)

Haven't come across Archive::Extract, I will have to take a look.  
This processing is done a lot and so needs to be fast.

> As gzip can only pack one archive at a time, and with the
> proliferation of winZip which does autoexpand gz's (ok... XP native
> zip support is far more dangerous), I thought I should have a go at
> hacking the code.

Thanks for that. I'm not sure I'll use your code, I tend to  
reimplement in my own style so that I can be sure I get all the  
attack countermeasures in place correctly.

> Below is the result of this morning's effort (and hopefully to a live
> system today) :-)

Please do let me know how you get on, this sounds like a good idea.

> -----------------------------------------------
>
> 1747c1747
> <   my($cyclecounter, $rarerror);
> ---
>>   my($cyclecounter, $rarerror, $gziperror);
> 1906a1907,1908
>>                 # Added by Harris
>>                 $buffer eq "\x1f\x8b\x08\x08" ||
> 1931c1933,1943
> <       # If unpacking as a zip failed, try it as a rar
> ---
>>       # If unpacking as a zip failed, try it as a gzip
>>
>>       # GZIP unpacking
>>       # Added by Harris
>>
>>       $gziperror = "";
>>       #print STDERR "About to unpack gzip $part\n";
>>       $gziperror = $this->UnpackGzip($part, $explodeinto);
>>       #print STDERR "* * * * * * * UnpackGzip $part returned  
>> $ziperror\n";
>>       # If unpacking as a gzip failed, try it as a rar
>>
> 2400a2413,2430
>>
>> # Unpack a gzip file into the named directory.
>> # Return 1 if an error occurred, else 0.
>> # Return 0 on success.
>> sub UnpackGzip {
>>   my($this, $gzipname, $explodeinto) = @_;
>>
>>   my($gzip);
>>
>>   #print STDERR "Unpacking $gzipname\n";
>>   return 1 if -s "$explodeinto/$gzipname" == 4_237_4; # zip of death?
>>   return 1 unless $gzip = SafePipe( "gunzip -d -S $explodeinto/ 
>> $gzipname -o gzip_out $gzipname 2>/dev/null", 10);
>>
>>   return 0;
>> }
>>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list