[Esd-l] Uh-oh: Outlook bug involving triple extensions
John D. Hardin
jhardin at impsec.org
Sun Feb 2 11:50:28 PST 2003
On Sat, 1 Feb 2003, Brett Glass wrote:
> P.S. -- The technique cited in this article can't be defeated with
> John's sanitizer merely by adding patterns to the "poisoned" file,
> because file names aren't compared against the patterns in that
> file unless the final extension is on a list that's built into the
> sanitizer.... Again, see
>
> http://www.theregister.co.uk/content/56/29137.html
As I said earlier, I *think* the sanitizer will still protect against
this exploit. Remember, the sanitizer is more than just a filename
filter.
Granted the attachment won't be poisoned or mangled, but the
"carefully crafted" part of the advisories makes me think it involves
more than just putting in enough spaces to hide the real filename
extensions in the Outlook preview window.
If the attachment filename exceeds the sanitizer's length limit
(currently 128) the filename will be sanitized (shortened, first by
collapsing runs of spaces), which will likely break the "carefully
crafted" part. Given the Reg article says "There is a workaround
involving blocking file attachment[s] ... with very long filenames
(another hallmark of the exploit) at email gateways" I think we're
covered.
So it'd get through the filename filter, but the suspicious file
extensions would no longer be hidden from the user, and a double-click
*probably* wouldn't work.
I don't know, however, exactly what the flaw in Outlook is - whether
it's a buffer-alignment bug or something explicitly trying all of the
possible file extensions in the filename. If the former, you're safe,
if the latter, you're not - but I can't see anybody coding something
*that* asinine.
Again, if anyone has a sample of an attack message I would LOVE to
have a copy (gzipped, of course!)
And, finally, if you're poisoning Windows executables by magic
(POISON_WINEXE is set) then the filename doesn't matter at all.
Attached is a patch to improve the logging in the
shorten-long-filename sanitization step. This is also in the devel
snapshot.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The fetters imposed on liberty at home have ever been forged out
of the weapons provided for defense against real, pretended, or
imaginary dangers from abroad.
-- James Madison, 1799
-----------------------------------------------------------------------
639 days until the Presidential Election
-------------- next part --------------
*** html-trap.procmail 2003-01-26 11:25:54-08 1.138
--- html-trap.procmail 2003-02-02 11:27:53-08
***************
*** 965,975 ****
$hdrtxt =~ s/name\s*=\s*"${filen}[\.\s]+"/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) { #\
! warn " Shortening long filename.\n"; #\
$filen =~ s/\s+/ /g; #\
substr ($filen,64,32) = "..." while (length($filen) > 120); #\
$hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i; #\
$mangle_mime_type = 1; #\
} #\
if (($mtype) = $hdrtxt =~ /^Content-Type:\s+([a-z0-9-_]+\/[a-z0-9-_]+)/i) { #\
unless ($mtype =~ /^(multipart|text|message)\//i) { #\
--- 965,976 ----
$hdrtxt =~ s/name\s*=\s*"${filen}[\.\s]+"/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) { #\
! warn " Shortening long filename \"$filen\".\n"; #\
$filen =~ s/\s+/ /g; #\
substr ($filen,64,32) = "..." while (length($filen) > 120); #\
$hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i; #\
$mangle_mime_type = 1; #\
+ warn " Filename now \"$filen\".\n"; #\
} #\
if (($mtype) = $hdrtxt =~ /^Content-Type:\s+([a-z0-9-_]+\/[a-z0-9-_]+)/i) { #\
unless ($mtype =~ /^(multipart|text|message)\//i) { #\
More information about the esd-l
mailing list