[Mimedefang] Possible new filename exploit?

Kelson Vibber kelson at speed.net
Mon Oct 7 21:24:01 EDT 2002


I was manually clearing a message from a user's mailbox when I discovered 
an interesting MIME attachment.  Now, this user had apparently been 
infected with Bugbear earlier, which made me wonder how.  Anything that 
trips filter_bad_filename is defanged, and anything that trips it AND 
claims to be audio/x-midi or audio/x-wav is quarantined.

Anyway, her transfer was bogging down early in the huge number of messages 
that had piled up while she dealt with the virus, and the message it was 
stopping at had the following MIME part headers:

Content-Type: audio/x-midi;
         name=SURVEY-ap stat;sportsvsgpa.doc.exe
Content-Transfer-Encoding: base64
Content-ID: <IX1I8Vy336Lk2>

Admittedly the filename is *very* bogus - the fake extension, the space 
without quotes, and the semicolon in the middle - plus the bogus mime-type 
and, to top it off, an IFrame in an HTML part referencing the supposed midi 
file.

Now regardless of what virus this was, it shouldn't have still been in the 
message, because it should have tripped filter_bad_filename and the test 
for audio/x-midi content type, and been quarantined instead.  (And yes, the 
X-Scanned-By header appears on this message.)

I'm guessing what happened is that MD read the name as "SURVEY-ap stat" 
which didn't trip filter_bad_filename.  I'll probably alter the filter to 
allow audio/x-midi ONLY with a .mid or .midi extension, rather than to 
block it only if the extension is bad.

Still, if MD doesn't recognize this sort of bogus filename, it'll probably 
need to.

I'm using MD 2.21.  I've updated filter_bad_filename from the latest 
example filter, although I've removed .url from the list, and I haven't 
made any changes to mimedefang.pl.


Kelson Vibber
SpeedGate Communications, Technical Staff
kelson at speed.net          Phone: (949) 341-0800
http://www.speed.net/     FAX:   (949) 341-0900




More information about the MIMEDefang mailing list