[Esd-l] ZIP scanning, take two (repost)

John D. Hardin jhardin at impsec.org
Mon Feb 23 06:40:24 PST 2004 

On Mon, 23 Feb 2004, Mark Wendt (Contractor) wrote:

> >Question: should I make the "ZIPPED_EXECUTABLES=$POISONED_EXECUTABLES"
> >the default behavior? In other words, should I force you to think
> >about your zipped files policy by making it reject everything if you
> >don't give a policy, or should ZIPs be trusted by default unless you
> >want to be more careful.
> 
> Maybe we could mangle the extension much like we do for html?  
> That way, a legitimate zip attachment would be lost, but make it
> much more difficult for the user to open the file?  Dunno, we use
> the zip extension to let docs and xls stuff through if they are
> compressed.

The scanner will only quarantine, not strip. However, the ZIP
extension is now "special", so if you have {something}.ZIP in your
POISON list it *will* take effect. If you don't want to risk losing
ZIP file attachments, don't put {anything}.ZIP in your POISON list...

I am not going to add ZIP to the default mangle list. If you wish to
mangle ZIP attachments as your site policy, you are welcome to through
overriding the default mangle list.

I am really reluctant to meddle with the contents of a ZIP attachment
in any way.

The Sanitizer does streaming inspection. Once attachment scanning
starts it is too late to go back and change the attachment headers, so
there's no way to retroactively mangle the attachment if it contains
suspicious filenames. The message can only be quarantined for a human
to inspect.

What I want community input on is: should the sanitizer by default
quarantine ZIPs that contain poisoned executables, unless overridden?
This would conform to the common "permit explicitly only what you
want, deny the rest" security policy, at the cost of breaking .ZIP
bypass on sites where the new sanitizer is installed without
specifying a ZIP security policy.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   40 days until the Slovakian Presidential Election

More information about the esd-l mailing list