[Esa-l]"Illegal" chars in attachment names

Larry Parmelee parmelee at CS.Cornell.EDU
Tue Jul 31 06:09:20 PDT 2001


After a quick glance at html-trap.procmail (v1.129),  it looks to
me like the sanitizer does NOT detect this attack:

> Multiple Vendor SMTP Attachment Protection Bypass Vulnerability
> BugTraq ID: 3097
> Remote: Yes
> Date Published: 2001-07-25
> Relevant URL:
> http://www.securityfocus.com/bid/3097

Basically, an attacker creates an attachment with a name
containing an embedded "illegal" character, for example:

	virus."vbs	(appears in the message as virus.\"vbs)
	virus.v"bs
	virus.e***xe

(at least double quote and asterisk are mentioned as examples of
illegal chars, I don't know the full list of legal .vs. illegal
chars).  The presence of the illegal char in the attachment name
prevents the mail scanner from recognizing the name as anything
evil.

Supposedly, when MS Outlook gets the message, it silently removes
the illegal chars, thereby re-arming the trap.

I tested on Win2K Outlook; it translates runs of illegal chars
into a single underscore, so it's safe, at least until a user
renames the file, removing the underscore(s).

-Larry



More information about the esd-l mailing list