[Esa-l] Broken pipe?
DaveZ
zarnoch at qedinfo.com
Fri Dec 15 09:31:49 PST 2000
Folks,
Got a little problem...
I downloaded the following source packages:
mmencode from:
http://dopey.rediris.es/ftp/software/sun/solaris-freeware/SOURCES/
(The link in the "sanitizer page" is broken)
mktemp from:
ftp://ftp.openbsd.org/pub/OpenBSD/src/usr.bin/mktemp/
(As the web page suggested)
I had problems compiling both,
Solaris 2.6
but, a fellow worker succeeded.
Now, both commands work fine from the command line,
however,
when I install them in /usr/local/bin,
I get the attached error in the procmail.log file
after I send a test *.doc message with a *vbs
file inserted.
Any help?
Thanks!
Dave Zarnoch
Senior Systems Administrator
QED Information Systems
zarnoch at qedinfo.com
(856)797-1200
-------------- next part --------------
Defanging active HTML content in "test12" from DaveZ <zarnoch at philadelphia.qedinfo.com> to zarnoch msgid=<200012142016.PAA04576 at philadelphia.qedinfo.com>
Sanitizing MIME attachment headers in "test12" from DaveZ <zarnoch at philadelphia.qedinfo.com> to zarnoch msgid=<200012142016.PAA04576 at philadelphia.qedinfo.com>
Scanning "funny.doc".
Mangling executable filename "funny.doc".
Broken Pipe
procmail: Program failure (141) of " perl -p -e ' #\
$pasthdr = 1 if /^\s*$/; #\
unless ($pasthdr) { #\
if (($type) = /^Content-Type\s*:\s.*(application|multipart)\/\S+;/i) { #\
$wanthdr = 1; #\
print "X-Security: MIME headers sanitized on ", $ENV{"HOST"}, "\n"; #\
print "\tSee http://www.impsec.org/email-tools/procmail-security.html\n"; #\
print "\tfor details. \$Revision: 1.124 $x\$Date: 2000-12-02 17:53:02-08 $x\n"; #\
if ($type =~ /application/i) { #\
$inmimehdr = 1; #\
} #\
} elsif (/^\S/) { #\
$wanthdr = 0; #\
} #\
if ($wanthdr) { #\
if (($mimeboundary) = /boundary\s*=\s*(("")|(".+")|([^"]\S+))/i) { #\
$mimeboundary =~ s/(^"|"$)//g; #\
$rawboundary = $mimeboundary; #\
$gotboundary = 1; #\
$boundarytoolong = $nullboundary = 0; #\
if ($boundarytoolong = (length($mimeboundary) > 80)) { #\
warn " Truncating long MIME body-part boundary string.\n"; #\
$newboundary = substr($mimeboundary,0,64); #\
$mimeboundary = quotemeta($mimeboundary); #\
s/${mimeboundary}/${newboundary}/; #\
$rawboundary =~ s/${mimeboundary}/${newboundary}/; #\
} elsif ($nullboundary = (length($mimeboundary) < 1)) { #\
warn " Replacing null MIME body-part boundary string.\n"; #\
$newboundary = "==NULL_MIME_BOUNDARY_ATTACK_SANITIZED-${$}=="; #\
s/boundary\s*=\s*""/boundary = "${newboundary}"/i; #\
} else { #\
$mimeboundary = quotemeta($mimeboundary); #\
} #\
} #\
} #\
} #\
if ($mimeboundary || ($gotboundary && $nullboundary) || $inmimehdr) { #\
if (/^\s*$/) { #\
$inmimehdr = 0; #\
} elsif (/^--${mimeboundary}(--)?$/o) { #\
$inmimehdr = 1; #\
$strip_attachment = $check_attachment = 0; #\
s/${mimeboundary}/${newboundary}/ if $boundarytoolong; #\
s/^--/--${newboundary}/ if $nullboundary; #\
} elsif (!$inmimehdr && $strip_attachment) { #\
$_ = ""; #\
} elsif (!$inmimehdr && $check_attachment) { #\
$check_attachment = 0; #\
if ($destf = `mktemp /tmp/mailchk.XXXXXX`) { #\
chomp($destf); #\
if (open(DECODE,"|mimencode -u -o $destf")) { #\
do { #\
print $_; #\
print DECODE $_; #\
$_ = <>; #\
$lastline = $_; #\
} until (/^\s*$/ || /^--/); #\
close(DECODE); #\
# Run virus-checker here. #\
open(ATTCH,"< $destf"); #\
$msapp = $score = 0; #\
while (<ATTCH>) { #\
$score+= 99 if /\000VirusProtection/i; #\
$score+= 99 if /\000select\s[^\000]*shell\s*\(/i; #\
$score+= 9 if /\000regedit/i; #\
$score+= 9 if /\000SaveNormalPrompt/i; #\
$score+= 9 if /\000Outlook.Application\000/i; #\
$score+= 4 if /\000ID="{[-0-9A-F]+$/i; #\
$score+= 4 if /\000CreateObject/i; #\
$score+= 4 if /(\000|\004)([a-z0-9_]\.)*(Autoexec|Workbook_(Open|BeforeClose)|Document_(Open|New|Close))/i; #\
$score+= 4 if /(\000|\004)(Logon|AddressLists|AddressEntries|Recipients|Subject|Body|Attachments|Logoff)/i; #\
$score+= 2 if /\000Shell/i; #\
$score+= 2 if /\000Options[^\w\s]/i; #\
$score+= 2 if /\000CodeModule/i; #\
$score+= 2 if /\000([a-z]+\.)?Application\000/i; #\
$score+= 2 if /(\000|\004)stdole/i; #\
$score+= 2 if /(\000|\004)NormalTemplate/i; #\
$score+= 1 if /\000ThisWorkbook\000/i; #\
$score+= 1 if /\000PrivateProfileString/i; #\
$score+= 1 if /\000ID="{[-0-9A-F]+}"/i; #\
$score+= 1 if /(\000|\004)(ActiveDocument|ThisDocument)/i; #\
$score+= 1 if /\000\[?HKEY_(CLASSES_ROOT|CURRENT_USER|LOCAL_MACHINE)/; #\
$msapp+= 1 if /\000(Microsoft (Word Document|Excel Worksheet|Excel|PowerPoint)|MSWordDoc|Word\.Document\.[0-9]+|Excel\.Sheet\.[0-9]+)\000/; #\
} #\
close(ATTCH); #\
unlink($destf); #\
if ($msapp) { #\
if ($histfile = $ENV{"SCORE_HISTORY"}) { #\
if (open(HIST,">>$histfile")) { #\
print HIST "score=$score msgid=".$ENV{"MSGID"}." from=".$ENV{"FROM"}."\n"; #\
close HIST; #\
} #\
} #\
$poison_score = $ENV{"POISONED_SCORE"}; #\
$poison_score = 5 if $poison_score < 5; #\
if ($score > $poison_score && !$ENV{"SCORE_ONLY"}) { #\
warn " POSSIBLE MACRO EXPLOIT: Score=$score\n"; #\
print "\n\n--$rawboundary\n"; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "X-Content-Security: NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: REPORT: Trapped poisoned Microsoft attachment\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY WARNING\n\n"; #\
print "SECURITY WARNING!\n"; #\
print "The mail delivery system has detected that the preceding\n"; #\
print "document attachment appears to contain hazardous macro code.\n"; #\
print "Macro Scanner score: $score\n"; #\
print "Contact your system administrator immediately!\n\n"; #\
} #\
} else { #\
$score = 0; #\
} #\
if ($lastline =~ /^--${mimeboundary}(--)?$/o) { #\
$inmimehdr = 1; #\
$check_attachment = 0; #\
$lastline =~ s/${mimeboundary}/${newboundary}/ if $boundarytoolong; #\
} #\
print $lastline; #\
} else { #\
warn " Cannot decode attachment: $! - is mimencode installed?\n"; #\
} #\
} else { #\
warn " Cannot extract attachment: $! - is mktemp installed?\n"; #\
} #\
} #\
if ($inmimehdr || $hdrcnt) { #\
if (/^(\s+\S|(file)?name)/) { #\
s/^\s*/ /; #\
s/^\s*// if $hdrtxt =~ /"[^"]*[^;]$/; #\
s/\s*\n$//; #\
$hdrtxt .= $_; #\
$_ = ""; #\
} else { #\
if ($hdrtxt) { #\
$hdrtxt =~ s/([^\\])\\"/\1\\?/g; #\
if ($hdrtxt =~ /`\s*`/) { #\
warn " Fixing double backquotes.\n"; #\
$hdrtxt =~ s/`\s*`/\\"/g; #\
} #\
if ($hdrtxt =~ /^[-\w]+\s*:.*name\s*=\s*"[^"]+$/i) { #\
warn " Fixing missing close quote on filename.\n"; #\
$hdrtxt .= "\""; #\
} #\
while (($hdr, $val) = $hdrtxt =~ /^([-\w]+)\s*:.*\s(\S+)\s*=\s*""/i) { #\
warn " Null $val in $hdr header.\n"; #\
$sval = quotemeta($val); #\
$hdrtxt =~ s/\s$sval\s*=\s*""/ X-$val="{null value sanitized}"/; #\
} #\
while (($junk,$filen) = $hdrtxt =~ /^Content-[-\w]+\s*:[^"]*("[^"]*"[^"]+)*name\s*=\s*([^"\s][^;]+)/i) { #\
warn " Fixing unquoted filename \"$filen\".\n"; #\
$newfilen = $filen; #\
$newfilen =~ s/\"/\\"/g; #\
if ($newfilen =~ /\([^)]*\)/) { #\
warn " Filename contains embedded RFC822 comment - removing.\n"; #\
$newfilen =~ s/\([^)]*\)//g; #\
} #\
$filen = quotemeta($filen); #\
$hdrtxt =~ s/name\s*=\s*${filen}/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{120})[^"]{16,}"/i) { #\
warn " Truncating long filename \"$filen...\".\n"; #\
$filen .= "..."; #\
$filen .= "?=" if $filen =~ /^=\?/; #\
$hdrtxt =~ s/name\s*=\s*"[^"]{128,}"/name="$filen"/i; #\
} #\
if (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.(do[ct]|xl[swt]|p[po]t|rtf|pps)(\?=)?)"/i) { #\
warn " Scanning \"$filen\".\n"; #\
if (!$poisoned && ($specf = $ENV{"POISONED_EXECUTABLES"})) { #\
if (open(POISONED,$specf)) { #\
while (chomp($poisoned_spec = <POISONED>)) { #\
$poisoned_spec =~ s/^\s+//g; #\
$poisoned_spec =~ s/\s+$//g; #\
next unless $poisoned_spec; #\
$poisoned_spec =~ s/([^\\])\./$1\\./g; #\
$poisoned_spec =~ s/\*/.*/g; #\
$poisoned_spec =~ s/\?/./g; #\
$poisoned_spec .= "(\\?=)?"; #\
warn "Checking against \"$poisoned_spec\"\n" if $ENV{"DEBUG"}; #\
if ($filen =~ /^${poisoned_spec}$/i) { #\
warn " Trapped poisoned document \"$filen\".\n"; #\
$poisoned = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "X-Content-Security: NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: REPORT: Trapped poisoned Microsoft attachment \"$filen\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY WARNING\n\n"; #\
print "SECURITY WARNING!\n"; #\
print "The mail system has detected that the following\n"; #\
print "attachment may contain hazardous macro code,\n"; #\
print "is a suspicious file type or has a suspicious file name.\n"; #\
print "Contact your system administrator immediately!\n"; #\
print "Macro Scanner score: 0 (not scanned due to poisoning policy)\n\n"; #\
last; #\
} #\
} #\
close(POISONED); #\
} else { #\
warn " Unable to open poisoned-executables file \"$specf\".\n"; #\
} #\
} #\
$check_attachment = 1 unless $ENV{"DISABLE_MACRO_CHECK"}; #\
} #\
$mangle_mime_type = 0; #\
while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.($ENV{"MANGLE_EXTENSIONS"})(\?=)?)"/io) { #\
if (!$poisoned && ($specf = $ENV{"POISONED_EXECUTABLES"})) { #\
if (open(POISONED,$specf)) { #\
while (chomp($poisoned_spec = <POISONED>)) { #\
$poisoned_spec =~ s/^\s+//g; #\
$poisoned_spec =~ s/\s+$//g; #\
next unless $poisoned_spec; #\
$poisoned_spec =~ s/([^\\])\./$1\\./g; #\
$poisoned_spec =~ s/\*/.*/g; #\
$poisoned_spec =~ s/\?/./g; #\
$poisoned_spec .= "(\\?=)?"; #\
warn "Checking against \"$poisoned_spec\"\n" if $ENV{"DEBUG"}; #\
if ($filen =~ /^${poisoned_spec}$/i) { #\
warn " Trapped poisoned executable \"$filen\".\n"; #\
$poisoned = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "X-Content-Security: NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: REPORT: Trapped poisoned executable \"$filen\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "X-Content-Security: QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY WARNING\n\n"; #\
print "SECURITY WARNING!\n"; #\
print "The mail system has detected that the following\n"; #\
print "attachment may contain hazardous executable code,\n"; #\
print "is a suspicious file type or has a suspicious file name.\n"; #\
print "Contact your system administrator immediately!\n\n"; #\
last; #\
} #\
} #\
close(POISONED); #\
} else { #\
warn " Unable to open poisoned-executables file \"$specf\".\n"; #\
} #\
} #\
warn " Mangling executable filename \"$filen\".\n"; #\
$newfilen = $filen; #\
$newfilen =~ s/\.([a-z0-9]+(\?=)?)$/.${$}DEFANGED-$1/i; #\
$filen = quotemeta($filen); #\
$hdrtxt =~ s/name\s*=\s*"?${filen}"?/name="$newfilen"/ig; #\
$mangle_mime_type = 1; #\
} #\
if ($mangle_mime_type && $hdrtxt =~ /^Content-Type:\s/i) { #\
($oct) = $hdrtxt =~ /^Content-Type:.*\s(\S+\/\S+;?)/i; #\
unless ($oct =~ /application\/octet-stream;/i) { #\
print "X-Content-Security: original Content-Type was $oct\n"; #\
$oct = quotemeta($oct); #\
$hdrtxt =~ s/${oct}/application\/octet-stream;/i; #\
} #\
} #\
if ($mangle_mime_type && $hdrtxt =~ /\sx-mac-\S+/i) { #\
$eudora = ""; #\
while (($eh) = $hdrtxt =~ /(\sx-mac-\S+\s*=\s*\S+;?)/i) { #\
$eudora .= $eh; #\
$eh = quotemeta($eh); #\
$hdrtxt =~ s/${eh}//i; #\
} #\
print "X-Content-Security: removed$eudora\n"; #\
} #\
if (($junk) = $hdrtxt =~ /^Content-Type\s*:\s+(.{128}).{100,}$/i) { #\
warn " Truncating long Content-Type header.\n"; #\
$junk =~ s/"/\\"/g; #\
$hdrtxt = "Content-Type: X-BOGUS\/X-BOGUS; originally=\"$junk...\""; #\
} elsif (($junk) = $hdrtxt =~ /^Content-Description\s*:\s+(.{128}).{100,}$/i) { #\
warn " Truncating long Content-Description header.\n"; #\
$hdrtxt = "Content-Description: $junk..."; #\
} elsif (($junk) = $hdrtxt =~ /^Content-[-\w]+\s*:\s+(.{128}).{100,}$/i) { #\
warn " Truncating long MIME header.\n"; #\
$junk =~ s/"/\\"/g; #\
$hdrtxt =~ s/^Content-([-\w]+)\s*:.*$/X-Overflow: Content-$1; originally="$junk..."/i; #\
} #\
if ($ENV{"SECURITY_STRIP_MSTNEF"} && $hdrtxt =~ /^Content-Type:\s+application\/MS-TNEF/i) { #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "X-Content-Security: REPORT: Stripped MS-TNEF attachment\n"; #\
print "Content-Description: SECURITY NOTICE\n\n"; #\
print "SECURITY NOTICE\n"; #\
print "The mail system has removed a Microsoft attachment for security reasons.\n"; #\
print "Please contact the sender of this message and ask them to\n"; #\
print "disable Rich Text format in their mail program and\n"; #\
print "disable sending TNEF to the Internet from their Microsoft Exchange gateway.\n\n"; #\
print "See http://support.microsoft.com/support/kb/articles/Q241/5/38.ASP\n"; #\
print "and http://www.microsoft.com/TechNet/exchange/2505ch10.asp for more information.\n\n"; #\
$_ = $hdrtxt = ""; #\
$strip_attachment = 1; #\
$inmimehdr = 0; #\
} #\
#if ($hdrtxt =~ /^Content-Transfer-Encoding\s*:\s+base64/i) { #\
# $check_attachment = 1; #\
#} #\
$hdrtxt =~ s/\\?/\\"/g; #\
print $hdrtxt, "\n"; #\
$hdrtxt = ""; #\
} #\
if (/^\S/) { #\
s/\s*\n$//; #\
$hdrtxt = $_; #\
$_ = ""; #\
$hdrcnt++; #\
} else { #\
$hdrcnt = 0; #\
$hdrtxt = ""; #\
} #\
} #\
} else { #\
$poisoned = 0; #\
} #\
} #\
' 2>> $LOGFILE"
procmail: Rescue of unfiltered data succeeded
>From zarnoch at philadelphia.qedinfo.com Thu Dec 14 15:16:11 2000
Subject: test12
Folder: /var/mail/zarnoch 11511
More information about the esd-l
mailing list