[Esd-l] Extensions with Trailer

Robert Wagner rwagner at eruces.com
Wed May 28 06:40:39 PDT 2003 

After doing some additional research, it appears that the underscore was
added by our antivirus system.  According to the advisory:

Attachment: (any of the following)
application.pif
approved.pif 
doc_details.pif 
movie28.pif 
password.pif 
ref-394755.pif 
screen_doc.pif 
screen_temp.pif 
your_details.pif 

These are just PIF files.  I guess I would still be concerned about someone
finding an extension that allowed them to bypass the antivirus checker and
still execute on the local system.

Perhaps, there is an alternative method?  -  Instead of creating a list of
things to remove, could you also create a list of attachments to allow as an
option?

# Use one or the other
POISONED_EXECUTABLES=/etc/procmail/poisoned
ALLOW_ATTACHMENT=/etc/procmail/allow

-----Original Message-----
From: John D. Hardin [mailto:jhardin at impsec.org]
Sent: Tuesday, May 27, 2003 9:08 PM
To: Robert Wagner
Cc: Esd-L (E-mail)
Subject: Re: [Esd-l] Extensions with Trailer


On Tue, 27 May 2003, Robert Wagner wrote:

> We have been seeing this more often.
> 
> Virus:   WORM_PALYH.A
> \Virus\Sample3ec8529a1.pif_
> 
> It appears that they system can capture anything with the pif
> extension, but not pif_

Sigh. It's probably yet another thing Microsoft does to make stupidity
painless and their systems nondeterministic.

Can anyone confirm this? (the filenames, not my opinion of MS... :)

It'll be relatively easy to add to the sanitizer.

Call for vote: should there be an option to sanitize the filename by
deleting trailing underscores?

> Is there a simple way to fix this?  

Well, you could add _* to the end of all your regexes in the mangle
list, but I'd have to think about the poisoned filename list for a bit
- the * has been recast from RE syntax to fileglob syntax.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The fetters imposed on liberty at home have ever been forged out
  of the weapons provided for defense against real, pretended, or
  imaginary dangers from abroad.
                                            -- James Madison, 1799
-----------------------------------------------------------------------
   525 days until the Presidential Election

More information about the esd-l mailing list