Is MS vulnerable to this Unicode trick?
mark at msapiro.net
Sun May 15 17:26:11 IST 2011
On 11:59 AM, Beauchemin, Denis wrote:
> Not everybody is using “file”. I think those that don't use it are probably vulnerable.
According to my tests with MailScanner 4.83.5, they are not.
I created a file with name 'abcdef\u202B\u202Ecod.exe' where
\u202B\u202E are the unicode right-to-left embedding and right-to-left
override codes respectively. This file displays in Windows explorer as
an 'executable' icon, and the name appears as 'abcdefexe.doc'.
I then used Thunderbird to send myself an email with the file attached.
Thunderbird attached the file as
Note the name= parameter is RFC 2047 encoded and the filename= is RFC
2231 encoded, but both decode to the 'abcdef\u202B\u202Ecod.exe' name.
Mailscanner 4.83.5 removed the attached file and logged the following:
May 15 08:49:34 sbh16 MailScanner: Filename Checks: Windows/DOS
Executable (89E3D6900B1.AAACB abcdef��cod.exe)
May 15 08:49:34 sbh16 MailScanner: Saved entire message to
May 15 08:49:34 sbh16 MailScanner: Saved infected
There seems to be an issue of some kind in that in the third log message
above, the name is reported as "abcdef%%E2%%80%%AB%%E2%%80%%AEco.exe"
which is missing the 'd' in cod.exe, and in the message to the user, the
name is even more garbled as
At Sun May 15 08:49:34 2011 the virus scanner said:
MailScanner: Executable DOS/Windows programs are dangerous in email
but the .exe extension was properly recognized.
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner