Date: Wed, 20 Sep 2000 16:57:41 -0400 Reply-To: Bennett SamowichSender: Bugtraq List Subject: Resend: Sendmail filter to prevent SMTP exploitation of the Guninski hole To: BUGTRAQ@SECURITYFOCUS.COM Sorry, I sent the wrong source file. Hopefully aleph1 can catch this in time to only allow this one through. Here is the correct one & sorry for the mix up. Greetings, Perhaps it is time to revisit the content filters on our mail servers before the inevitable exploit is released and until proper resolution can be made. By using sendmail's libmilter, it is possible to reject messages with .dll attachments (see below). I am sure that there are other methods as well (e.g. procmail, etc.). Most places don't have the need to email dll's on a regular basis, and if they legitimately did they should be able to zip them first. Cheers, - Bennett At 02:35 09/20/2000 , Lincoln Yeoh manipulated the electrons to say: ...snip... >This is what makes it more dangerous. > >Being subscribed to Bugtraq is getting rather more hazardous, I sure hope >Mr Simard's dll is harmless :). Fortunately my Bugtraq attachment directory >is different from my office attachment directory. > >But in the future we could see something like "binary chemical weapons" >where non or sublethal payloads combine to create a lethal payload. > >This can make detection harder, as the various payloads could come from >different sources. And the trigger could be from an innocent party. > >We probably can't use the "binary" term in this field as it would be >confusing and redundant. "Beware of binary dlls" yeah right ;). > >I am sure there are other cases where things are dumped into the same >directory. The windows temp directory comes to mind. > >Maybe one could be tricked into storing the dll in suitable areas- by >setting the MIME content type at the webserver, you should in theory be >able to tell the browser it's an image, audio, or even word document. But >once it's downloaded it will be treated as a dll due to the extension. > >Cheerio, > >Link. === Makefile === # Generic Makefile for libmilter filters CC = gcc -Wall # point this at your sendmail source tree SENDMAIL_SOURCE = /usr/local/src/sendmail-8.10.1 IFLAGS = -I$(SENDMAIL_SOURCE)/sendmail -I$(SENDMAIL_SOURCE)/include FLAGS = -pthread LIBS = -lmilter -lsmutil TARGETS = noattach all: $(TARGETS) noattach: $(CC) $(IFLAGS) -o noattach noattach.c $(LIBS) $(FLAGS) clean: rm -f $(TARGETS) === cut === (Ed. Note: This is the updated version of noattach.c which was posted to BugTraq.) /* * noattach.c - libmilter filter to reject incoming messages with * specific attachments. * * Currently rejects VBS, SHS, and DLL attachments. * * Adapted from filter code written by Al Smith * * Catches mixed case MIME filename labels. Identified by: * Brett Glass and * Jason Storm */ #include #include "libmilter/mfapi.h" static int bad_extension(SMFICTX *ctx, const char *s1, const char *s2, int len) { int n; const char *p, *q; char x, y; char m[1024]; sprintf (m, "Sorry, I can't accept messages with .%s attachments.", s2); n = 0; for (p=s1, q=s2; *p && *q && n < len; p++, q++) { x = (isalpha((int)*p)) ? tolower(*p) : *p; y = (isalpha((int)*q)) ? tolower(*q) : *q; if ( x == y ) n++; } if (n != len) return (0); smfi_setreply(ctx, "554", "5.6.1", m); return (1); } sfsistat mlfi_body(SMFICTX *ctx, u_char *bodyp, size_t bodylen) { u_char *p, *q, *r; /* check body block for vbs data */ for(p = bodyp; p && (p = strstr(p, "Content-Type:")); p++) { /* convert to lowercase */ q = p; while (*q) { *q = tolower(*q); q++; } if ((q = strstr(p, "name=\""))) { for(r=q+6; *r != '\n' && *r != '\0' && *r != '"'; r++); if (*r == '"') { /* Filter for bad extensions */ if (bad_extension(ctx, r-3, "vbs", 3)) return SMFIS_REJECT; if (bad_extension(ctx, r-3, "shs", 3)) return SMFIS_REJECT; if (bad_extension(ctx, r-3, "dll", 3)) return SMFIS_REJECT; } } } /* continue processing */ return SMFIS_CONTINUE; } struct smfiDesc smfilter = { "VBFilter", /* filter name */ SMFI_VERSION, /* version code -- do not change */ 0, /* flags */ NULL, /* connection info filter */ NULL, /* SMTP HELO command filter */ NULL, /* envelope sender filter */ NULL, /* envelope recipient filter */ NULL, /* header filter */ NULL, /* end of header */ mlfi_body, /* body block filter */ NULL, /* end of message */ NULL, /* message aborted */ NULL /* connection cleanup */ }; int main(int argc, char *argv[]) { char c; const char *args = "p:"; /* Process command line options */ while ((c = getopt(argc, argv, args)) != -1) { switch (c) { case 'p': if (optarg == NULL || *optarg == '\0') { (void) fprintf(stderr, "Illegal conn: %s\n", optarg); exit(EX_USAGE); } (void) smfi_setconn(optarg); break; } } if (smfi_register(smfilter) == MI_FAILURE) { fprintf(stderr, "smfi_register failed\n"); exit(EX_UNAVAILABLE); } return smfi_main(); } === cut ===