![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Wed, 20 Sep 2000 16:57:41 -0400
Reply-To: Bennett Samowich
Sender: Bugtraq List
Subject: Resend: Sendmail filter to prevent SMTP exploitation of the
Guninski hole
To: BUGTRAQ@SECURITYFOCUS.COM
Sorry, I sent the wrong source file. Hopefully aleph1 can catch this in
time to only allow this one through. Here is the correct one & sorry for
the mix up.
Greetings,
Perhaps it is time to revisit the content filters on our mail servers
before the inevitable exploit is released and until proper resolution can
be made. By using sendmail's libmilter, it is possible to reject messages
with .dll attachments (see below). I am sure that there are other methods
as well (e.g. procmail, etc.). Most places don't have the need to email
dll's on a regular basis, and if they legitimately did they should be able
to zip them first.
Cheers,
- Bennett
At 02:35 09/20/2000 , Lincoln Yeoh manipulated the electrons to say:
...snip...
>This is what makes it more dangerous.
>
>Being subscribed to Bugtraq is getting rather more hazardous, I sure hope
>Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory
>is different from my office attachment directory.
>
>But in the future we could see something like "binary chemical weapons"
>where non or sublethal payloads combine to create a lethal payload.
>
>This can make detection harder, as the various payloads could come from
>different sources. And the trigger could be from an innocent party.
>
>We probably can't use the "binary" term in this field as it would be
>confusing and redundant. "Beware of binary dlls" yeah right ;).
>
>I am sure there are other cases where things are dumped into the same
>directory. The windows temp directory comes to mind.
>
>Maybe one could be tricked into storing the dll in suitable areas- by
>setting the MIME content type at the webserver, you should in theory be
>able to tell the browser it's an image, audio, or even word document. But
>once it's downloaded it will be treated as a dll due to the extension.
>
>Cheerio,
>
>Link.
=== Makefile ===
# Generic Makefile for libmilter filters
CC = gcc -Wall
# point this at your sendmail source tree
SENDMAIL_SOURCE = /usr/local/src/sendmail-8.10.1
IFLAGS = -I$(SENDMAIL_SOURCE)/sendmail -I$(SENDMAIL_SOURCE)/include
FLAGS = -pthread
LIBS = -lmilter -lsmutil
TARGETS = noattach
all: $(TARGETS)
noattach:
$(CC) $(IFLAGS) -o noattach noattach.c $(LIBS) $(FLAGS)
clean:
rm -f $(TARGETS)
=== cut ===
(Ed. Note: This is the updated version of noattach.c which was posted
to BugTraq.)
/*
* noattach.c - libmilter filter to reject incoming messages with
* specific attachments.
*
* Currently rejects VBS, SHS, and DLL attachments.
*
* Adapted from filter code written by Al Smith
*
* Catches mixed case MIME filename labels. Identified by:
* Brett Glass and
* Jason Storm
*/
#include
#include "libmilter/mfapi.h"
static int bad_extension(SMFICTX *ctx, const char *s1, const char *s2, int len)
{
int n;
const char *p, *q;
char x, y;
char m[1024];
sprintf (m, "Sorry, I can't accept messages with .%s attachments.", s2);
n = 0;
for (p=s1, q=s2; *p && *q && n < len; p++, q++) {
x = (isalpha((int)*p)) ? tolower(*p) : *p;
y = (isalpha((int)*q)) ? tolower(*q) : *q;
if ( x == y )
n++;
}
if (n != len)
return (0);
smfi_setreply(ctx, "554", "5.6.1", m);
return (1);
}
sfsistat mlfi_body(SMFICTX *ctx, u_char *bodyp, size_t bodylen) {
u_char *p, *q, *r;
/* check body block for vbs data */
for(p = bodyp; p && (p = strstr(p, "Content-Type:")); p++) {
/* convert to lowercase */
q = p;
while (*q) {
*q = tolower(*q);
q++;
}
if ((q = strstr(p, "name=\""))) {
for(r=q+6; *r != '\n' && *r != '\0' && *r != '"'; r++);
if (*r == '"') {
/* Filter for bad extensions */
if (bad_extension(ctx, r-3, "vbs", 3)) return SMFIS_REJECT;
if (bad_extension(ctx, r-3, "shs", 3)) return SMFIS_REJECT;
if (bad_extension(ctx, r-3, "dll", 3)) return SMFIS_REJECT;
}
}
}
/* continue processing */
return SMFIS_CONTINUE;
}
struct smfiDesc smfilter = {
"VBFilter", /* filter name */
SMFI_VERSION, /* version code -- do not change */
0, /* flags */
NULL, /* connection info filter */
NULL, /* SMTP HELO command filter */
NULL, /* envelope sender filter */
NULL, /* envelope recipient filter */
NULL, /* header filter */
NULL, /* end of header */
mlfi_body, /* body block filter */
NULL, /* end of message */
NULL, /* message aborted */
NULL /* connection cleanup */
};
int main(int argc, char *argv[]) {
char c;
const char *args = "p:";
/* Process command line options */
while ((c = getopt(argc, argv, args)) != -1) {
switch (c) {
case 'p':
if (optarg == NULL || *optarg == '\0') {
(void) fprintf(stderr, "Illegal conn: %s\n", optarg);
exit(EX_USAGE);
}
(void) smfi_setconn(optarg);
break;
}
}
if (smfi_register(smfilter) == MI_FAILURE) {
fprintf(stderr, "smfi_register failed\n");
exit(EX_UNAVAILABLE);
}
return smfi_main();
}
=== cut ===