Is MS vulnerable to this Unicode trick?

Mark Sapiro mark at msapiro.net
Sun May 15 17:26:11 IST 2011 

On 11:59 AM, Beauchemin, Denis wrote:
> Martin,
> 
> Not everybody is using “file”. I think those that don't use it are probably vulnerable.


According to my tests with MailScanner 4.83.5, they are not.

I created a file with name 'abcdef\u202B\u202Ecod.exe' where
\u202B\u202E are the unicode right-to-left embedding and right-to-left
override codes respectively. This file displays in Windows explorer as
an 'executable' icon, and the name appears as 'abcdefexe.doc'.

I then used Thunderbird to send myself an email with the file attached.
Thunderbird attached the file as

Content-Type: application/x-msdownload;
 name="=?UTF-8?B?YWJjZGVm4oCr4oCuY29kLmV4ZQ==?="
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0*=UTF-8''%61%62%63%64%65%66%E2%80%AB%E2%80%AE%63%6F%64%2E%65%78;
 filename*1*=%65

Note the name= parameter is RFC 2047 encoded and the filename= is RFC
2231 encoded, but both decode to the 'abcdef\u202B\u202Ecod.exe' name.

Mailscanner 4.83.5 removed the attached file and logged the following:

May 15 08:49:34 sbh16 MailScanner[21254]: Filename Checks: Windows/DOS
Executable (89E3D6900B1.AAACB abcdef��cod.exe)
May 15 08:49:34 sbh16 MailScanner[21254]: Saved entire message to
/var/spool/MailScanner/quarantine/20110515/89E3D6900B1.AAACB
May 15 08:49:34 sbh16 MailScanner[21254]: Saved infected
"abcdef%%E2%%80%%AB%%E2%%80%%AEco.exe" to
/var/spool/MailScanner/quarantine/20110515/89E3D6900B1.AAACB

There seems to be an issue of some kind in that in the third log message
above, the name is reported as "abcdef%%E2%%80%%AB%%E2%%80%%AEco.exe"
which is missing the 'd' in cod.exe, and in the message to the user, the
name is even more garbled as

At Sun May 15 08:49:34 2011 the virus scanner said:
   MailScanner: Executable DOS/Windows programs are dangerous in email
(abcdef80E2AEco.exe)

but the .exe extension was properly recognized.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list