[Esd-l] Another Security_Notify_Sender issue

Mark Wendt wendt at kingcrab.nrl.navy.mil
Tue Feb 12 06:14:00 PST 2002


Hi all,

	Running the 1.33pre7 version of the sanitizer, and we're stripping all 
executables from incoming emails.  The recipient recieves notification that 
the .exe has been stripped, but the sender doesn't.  I have 
SECURITY_NOTIFY_SENDER="/etc/procmail/notify.txt" in my procmailrc, and set 
DEBUG_VERBOSE=YES.  The sender is my local account, to a non-privileged 
account on the mail server. Here's the output from the log file (sorry, 
it's a bit long):

Sanitizing MIME attachment headers in "test 2" from 
xxx<xxx at xxx.xxx.xxx.xxx> to yyy 
msgid=<5.1.0.14.2.20020212085440.00abd4b8 at xxx.xxx.xxx.xxx>
Checking "cfwindem.exe" for stripping.
Checking against ".*\.ad[ep](\?=)?$"
Checking against ".*\.asd(\?=)?$"
Checking against ".*\.avi(\?=)?$"
Checking against ".*\.ba[st](\?=)?$"
Checking against ".*\.chm(\?=)?$"
Checking against ".*\.cmd(\?=)?$"
Checking against ".*\.com(\?=)?$"
Checking against ".*\.cil(\?=)?$"
Checking against ".*\.cpl(\?=)?$"
Checking against ".*\.crt(\?=)?$"
Checking against ".*\.dll(\?=)?$"
Checking against ".*\.exe(\?=)?$"
  Stripped executable "cfwindem.exe".
  From xxx at xxx.xxx.xxx.xxx  Tue Feb 12 08:54:43 2002
  Subject: test 2
   Folder: /var/mail/yyy						   1409
procmail: [10606] Tue Feb 12 08:56:14 2002
procmail: Match on ! "[^ ]"
procmail: [10606] Tue Feb 12 08:56:15 2002
procmail: Score:       0       0 
"\<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|layer|link)"
procmail: Score:       0       0 "=(3d)?[ 	]*["'](&{|([a-z]+script|mocha):)"
procmail: Match on ! "[^ ]"
procmail: Assigning 
"MANGLE_EXTENSIONS=html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|wm[szd]|vcf|nws|\{[-0-9a-f]+\}"
procmail: [10606] Tue Feb 12 08:56:16 2002
procmail: No match on "^begin[ 	]+([0-9]+)?[ 	]+[^ 	]+"
procmail: Match on ! "^X-Content-Security: \[xxx\] (QUARANTINE|DISCARD)"
procmail: Score: 2147483647 2147483647 
"^Content-Type[ 	]*:.*(application|multipart)/[^ ]*;"
procmail: Assigning "LOG=Sanitizing MIME attachment headers in "test 2" 
from xxx <xxx at xxx.xxx.xxx.xxx> to yyy 
msgid=<5.1.0.14.2.20020212085609.00ac2570 at xxx.xxx.xxx.xxx>
"
Sanitizing MIME attachment headers in "test 2" from xxx 
<xxx at xxx.xxx.xxx.xxx> to yyy 
msgid=<5.1.0.14.2.20020212085609.00ac2570 at xxx.xxx.xxx.xxx>
procmail: Assigning "POISONED_SCORE=25"
procmail: Executing " perl -p -e '	#\
       $pastmsghdr = 1 if /^\s*$/;	#\
       $XCS = "X-Content-Security: [" . $ENV{"HOST"} . "]" unless $XCS;	#\
       if ($pastmsghdr) {	#\
	if (!$mimebdry && $mimebdrs[0]) {	#\
	  warn " Found no MIME boundary.\n" if $ENV{"DEBUG"};	#\
	  $mimebdry = pop @mimebdrs;	#\
	  $newbdry = pop @newbdrs;	#\
	  $rawbdry = pop @rawbdrs;	#\
	  $bdrytoolong = pop @bdrstoolong;	#\
	  $gotbdry = pop @gotbdrs;	#\
	  $nullbdry = pop @nullbdrs;	#\
	}	#\
	$_ = "" if $strip_attachment && !$gotbdry;	#\
       } else {	#\
	if (($type,$format,$junk) = 
/^Content-Type\s*:\s.*(application|multipart|message)\/(\S+)(;.*)?$/i) {	#\
	  $wanthdr = 1;	#\
	  print "X-Security: MIME headers sanitized on ", $ENV{"HOST"}, "\n";	#\
	  print "\tSee http://www.impsec.org/email-tools/sanitizer-intro.html\n";	#\
	  print "\tfor details. \$Revision: 1.134pre7 $x\$Date: 2002-01-05 
17:09:21-08 $x\n";	#\
	  print "X-Security: The postmaster has not enabled quarantine of poisoned 
messages.\n" unless $ENV{"SECURITY_QUARANTINE"};	#\
	  if ($type =~ /application/i) {	#\
	    $inmimehdr = 1;	#\
	  } elsif ($type =~ /message/i && $format =~ /rfc822/i) {	#\
	    $rcrsmsg = $inmimehdr = 1;	#\
	  }	#\
	} elsif (/^\S/) {	#\
	  $wanthdr = 0;	#\
	}	#\
	if ($wanthdr) {	#\
	  if (($mimebdry) = /boundary\s*=\s*(("")|("[^"]+")|([^"]\S+))/i) {	#\
	    $mimebdry =~ s/(^"|"$)//g;	#\
	    $rawbdry = $mimebdry;	#\
	    $gotbdry = 1;	#\
	    $wanthdr = 0;	#\
	    $bdrytoolong = $nullbdry = 0;	#\
	    if ($bdrytoolong = (length($mimebdry) > 80)) {	#\
	      warn " Truncating long MIME body-part boundary string.\n";	#\
	      $newbdry = substr($mimebdry,0,64);	#\
	      $mimebdry = quotemeta($mimebdry);	#\
	      s/${mimebdry}/${newbdry}/;	#\
	      $rawbdry =~ s/${mimebdry}/${newbdry}/;	#\
	    } elsif ($nullbdry = (length($mimebdry) < 1)) {	#\
	      warn " Replacing null MIME body-part boundary string.\n";	#\
	      $newbdry = "==NULL_MIME_BOUNDARY_ATTACK_SANITIZED-${$}==";	#\
	      s/boundary\s*=\s*""/boundary = "${newbdry}"/i;	#\
	    } else {	#\
	      $mimebdry = quotemeta($mimebdry);	#\
	    }	#\
	  }	#\
	}	#\
       }	#\
       if ($mimebdry || ($gotbdry && $nullbdry) || $inmimehdr) {	#\
	if (/^\s*$/) {	#\
	  $inmimehdr = 0;	#\
	  if ($rcrsmsg) {	#\
	    push @mimebdrs, $mimebdry;	#\
	    push @newbdrs, $newbdry;	#\
	    push @rawbdrs, $rawbdry;	#\
	    push @bdrstoolong, $bdrytoolong;	#\
	    push @gotbdrs, $gotbdry;	#\
	    push @nullbdrs, $nullbdry;	#\
	    $mimebdry = $newbdry = "";	#\
	    $rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0;	#\
	  }	#\
	} elsif (/^--${mimebdry}(--)?$/) {	#\
	  $mend = $1;	#\
	  s/${mimebdry}/${newbdry}/ if $bdrytoolong;	#\
	  s/^--/--${newbdry}${mend}/ if $nullbdry;	#\
	  if ($mend) {	#\
	    if ($mimebdrs[0]) {	#\
	      $mimebdry = pop @mimebdrs;	#\
	      $newbdry = pop @newbdrs;	#\
	      $rawbdry = pop @rawbdrs;	#\
	      $bdrytoolong = pop @bdrstoolong;	#\
	      $gotbdry = pop @gotbdrs;	#\
	      $nullbdry = pop @nullbdrs;	#\
	    }	#\
	  } else {	#\
	    $inmimehdr = 1;	#\
	    $rcrsmsg = $strip_attachment = $check_attachment = 0;	#\
	  }	#\
	} elsif (!$inmimehdr && $strip_attachment) {	#\
	  $_ = "";	#\
	} elsif (!$inmimehdr && $check_attachment) {	#\
	  $check_attachment = 0;	#\
	  if ($destf = `mktemp /tmp/mailchk.XXXXXX`) {	#\
	    chomp($destf);	#\
	    if (open(DECODE,"|mimencode -u -o $destf")) {	#\
	      do {	#\
		print $_;	#\
		print DECODE $_;	#\
		$_ = <>;	#\
		$lastline = $_;	#\
	      } until (/^\s*$/ || /^--/);	#\
	      close(DECODE);	#\
	      $msapp = $score = 0;	#\
	      @scores = ();	#\
	      $why = "";	#\
	      # Run virus-checker here.	#\
	      open(ATTCH,"< $destf");	#\
	      while (<ATTCH>) {	#\
		if (/\000(VirusProtection)/i) {	#\
			$why .= "    99 for $1\n";	#\
			$score+= 99;	#\
		}	#\
		if (/\000(select\s[^\000]*shell\s*\(\s*["\047])/i) {	#\
			$why .= "    99 for $1\n";	#\
			$score+= 99;	#\
		}	#\
		if (/\000(regedit)/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(Shell\s*\()/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(Save(Normal|Properties)Prompt)/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(Outlook\.Application)\000/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(CountOfLines)/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(AddFromString)/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(StartupPath)/i) {	#\
			$why .= "     9 for $1\n";	#\
			$score+= 9;	#\
		}	#\
		if (/\000(CreateObject)/i) {	#\
			$why .= "     4 for $1\n";	#\
			$score+= 4;	#\
		}	#\
		if 
(/(\000|\004)([a-z0-9_]\.)*(Autoexec|Workbook_(Open|BeforeClose|Window(De)?activate)|Document_(Open|New|Close))/i) 
{	#\
			$why .= "     4 for $&\n";	#\
			$score+= 4;	#\
		}	#\
		if 
(/(\000|\004)(Logon|AddressLists|AddressEntries|Recipients|Attachments|Logoff)/i) 
{	#\
			$why .= "     4 for $&\n";	#\
			$score+= 4;	#\
		}	#\
		if (/(\000|\004)(Subject|Body)/i) {	#\
			$why .= "     4 for $&\n" unless $scores[0];	#\
			$scores[0] = 4;	#\
		}	#\
		if (/\000(Options[^\w\s])/i) {	#\
			$why .= "     2 for $1\n";	#\
			$score+= 2;	#\
		}	#\
		if (/\000(CodeModule)/i) {	#\
			$why .= "     2 for $1\n";	#\
			$score+= 2;	#\
		}	#\
		if (/\000(([a-z]+\.)?Application)\000/i) {	#\
			$why .= "     2 for $1\n";	#\
			$score+= 2;	#\
		}	#\
		if (/(\000|\004)stdole/i) {	#\
			$why .= "     2 for $&\n";	#\
			$score+= 2;	#\
		}	#\
		if (/(\000|\004)NormalTemplate/i) {	#\
			$why .= "     2 for $&\n";	#\
			$score+= 2;	#\
		}	#\
		if (/\000(ID="{[-0-9A-F]+(}")?)/i) {	#\
			$why .= "     4 for $1\n";	#\
			$score+= 4;	#\
		}	#\
		if (/\000(ThisWorkbook)\000/i) {	#\
			$why .= "     1 for $1\n";	#\
			$score+= 1;	#\
		}	#\
		if (/\000(PrivateProfileString)/i) {	#\
			$why .= "     1 for $1\n";	#\
			$score+= 1;	#\
		}	#\
		if (/(\000|\004)(ActiveDocument|ThisDocument|ThisWorkbook)/i) {	#\
			$why .= "     1 for $&\n";	#\
			$score+= 1;	#\
		}	#\
		if (/\000(\[?HKEY_(CLASSES_ROOT|CURRENT_USER|LOCAL_MACHINE))/) {	#\
			$why .= "     1 for $1\n";	#\
			$score+= 1;	#\
		}	#\
		$msapp+= 1 if /\000(Microsoft (Word Document|Excel 
Worksheet|Excel|PowerPoint)|MSWordDoc|Word\.Document\.[0-9]+|Excel\.Sheet\.[0-9]+)\000/; 
#\
	      }	#\
	      close(ATTCH);	#\
	      unlink($destf);	#\
	      if ($msapp) {	#\
		for (@scores) {	#\
		  $score += $_;	#\
		}	#\
		if ($histfile = $ENV{"SCORE_HISTORY"}) {	#\
		  if (open(HIST,">>$histfile")) {	#\
		    print HIST "score=$score to=".$ENV{"TO"}." from=".$ENV{"FROM"}."\n";	#\
		    close HIST;	#\
		  }	#\
		}	#\
		$poison_score = $ENV{"POISONED_SCORE"};	#\
		$poison_score = 5 if $poison_score < 5;	#\
		if ($score > $poison_score && !$ENV{"SCORE_ONLY"}) {	#\
		  warn " POSSIBLE MACRO EXPLOIT: Score=$score\n";	#\
		  print "\n\n--$rawbdry\n";	#\
		  print "Content-Type: TEXT/PLAIN;\n";	#\
		  print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || 
$ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
		  print "$XCS REPORT: Trapped poisoned Microsoft attachment\n" if 
$ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
		  print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"};	#\
		  print "Content-Description: SECURITY WARNING\n\n";	#\
		  print "SECURITY WARNING!\n";	#\
		  print "The mail delivery system has detected that the preceding\n";	#\
		  print "document attachment appears to contain hazardous macro code.\n";	#\
		  print "Macro Scanner score: $score\n";	#\
		  if ($ENV{"SCORE_DETAILS"}) {	#\
			  print "Macro Scanner score details:\n";	#\
			  $why =~ s/[\000-\011\013-\037]//g;	#\
			  print $why;	#\
		  }	#\
		  print "Contact your system administrator immediately!\n\n";	#\
		}	#\
	      } else {	#\
		$score = 0;	#\
	      }	#\
	      if ($lastline =~ /^--${mimebdry}(--)?$/) {	#\
		$inmimehdr = 1;	#\
		$check_attachment = 0;	#\
		$lastline =~ s/${mimebdry}/${newbdry}/ if $bdrytoolong;	#\
	      }	#\
	      print $lastline;	#\
	    } else {	#\
	      warn "*** Decoding: $!  - mimencode?\n";	#\
	    }	#\
	  } else {	#\
	    warn "*** Cannot extract - mktemp?\n";	#\
	  }	#\
	}	#\
	if ($inmimehdr || $hdrcnt) {	#\
	  if (/^(\s+\S|(file)?name)/) {	#\
	    s/^\s*/ /;	#\
	    s/^\s*// if $hdrtxt =~ /"[^"]*[^;]$/;	#\
	    s/\s*\n$//;	#\
	    $hdrtxt .= $_;	#\
	    $_ = "";	#\
	  } else {	#\
	    if ($hdrtxt) {	#\
	      $hdrtxt =~ s/([^\\])\\"/\1\\/g;	#\
	      if ($hdrtxt =~ /`\s*`/) {	#\
		warn " Fixing double backquotes.\n";	#\
		$hdrtxt =~ s/`\s*`/\\"/g;	#\
	      }	#\
	      if ($hdrtxt =~ /^[-\w]+\s*:.*name\s*=\s*"[^"]+$/i) {	#\
		warn " Fixing missing close quote on filename.\n";	#\
		$hdrtxt .= "\"";	#\
	      }	#\
	      while (($hdr, $val) = $hdrtxt =~ /^([-\w]+)\s*:.*\s(\S+)\s*=\s*""/i) 
{	#\
		warn " Null $val in $hdr header.\n";	#\
		$sval = quotemeta($val);	#\
		$hdrtxt =~ s/\s$sval\s*=\s*""/ X-$val="{null value sanitized}"/;	#\
	      }	#\
	      unless ($ENV{"SECURITY_DISABLE_OUTLOOK_HACKS"}) {	#\
	        while (($hdr,$filen) = $hdrtxt =~ 
/^(Content-Description)\s*:\s*text\s+from\s+file\s+\047([^\047]+)\047/i) {	#\
		  warn " Fixing file name \"$filen\" in ${hdr}:\n";	#\
		  $newfilen = $filen; $filen = quotemeta($filen);	#\
		  $hdrtxt =~ s/\s+\047${filen}\047/, filename="${newfilen}"/ig;	#\
	        }	#\
	      }	#\
	      while (($junk,$filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:[^"]*("[^"]*"[^"]+)*name\s*=\s*([^"\s][^;]+)/i) {	#\
		warn " Fixing unquoted filename \"$filen\".\n";	#\
		$newfilen = $filen; $filen = quotemeta($filen);	#\
		$newfilen =~ s/\"/\\"/g;	#\
		if ($newfilen =~ /\([^)]*\)/) {	#\
		  warn " Removing embedded RFC822 comments.\n";	#\
		  $newfilen =~ s/\([^)]*\)//g;	#\
		}	#\
		$hdrtxt =~ s/name\s*=\s*${filen}/name="$newfilen"/ig;	#\
	      }	#\
	      while (($filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:.*name\s*=\s*"(=\?[^"]+\?Q\?[^"]+=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])[^"]+\?=)"/i) 
{	#\
		warn " Fixing encoded plain characters in \"$filen\".\n";	#\
		$newfilen = $filen; $filen = quotemeta($filen);	#\
		while ($newfilen =~ /=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])/i) {	#\
		  $char = chr(hex("0x$1"));	#\
		  $newfilen =~ s/=$1/$char/gi;	#\
		}	#\
		$hdrtxt =~ s/name\s*=\s*"${filen}"/name="$newfilen"/ig;	#\
	      }	#\
	      while (($filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+)\s+"/i) {	#\
		warn " Fixing trailing spaces in filename.\n";	#\
		$newfilen = $filen; $filen = quotemeta($filen);	#\
		$hdrtxt =~ s/name\s*=\s*"${filen}\s+"/name="$newfilen"/ig;	#\
	      }	#\
	      while (($filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{120})[^"]{16,}"/i) {	#\
		warn " Truncating long filename \"$filen...\".\n";	#\
		$filen =~ s/\s+$//;	#\
		$filen .= "...";	#\
		$filen .= "?=" if $filen =~ /^=\?/;	#\
		$hdrtxt =~ s/name\s*=\s*"[^"]{128,}"/name="$filen"/i;	#\
		$mangle_mime_type = 1;	#\
	      }	#\
	      if (($mtype) = $hdrtxt =~ 
/^Content-Type:\s+([a-z0-9-_]+\/[a-z0-9-_]+)/i) {	#\
	        unless ($mtype =~ /^(multipart|text|message)\//i) {	#\
		  unless ($hdrtxt =~ /name\s*=\s*"/i) {	#\
		    $dfrhdr .= "$hdrtxt\n"; $hdrtxt = "";	#\
		  }	#\
		}	#\
	      }	#\
	      if ($hdrtxt =~ /^Content-Transfer-Encoding\s*:/i) {	#\
	        $dfrhdr .= "$hdrtxt\n"; $hdrtxt = "";	#\
	      }	#\
	      if (($filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.(do[ct]|xl[swt]|p[po]t|rtf|pps)(\?=)?)"/i) 
{	#\
		$stripped = 0;	#\
		if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"})) {	#\
		  if (open(STRIPPED,$specf)) {	#\
		    warn "Checking document \"$filen\" for stripping.\n";	#\
		    while (chomp($stp_spec = <STRIPPED>)) {	#\
		      $stp_spec =~ s/^\s+//g;	#\
		      $stp_spec =~ s/\s.*$//g;	#\
		      next unless $stp_spec;	#\
		      $stp_spec =~ s/([^\\])\./$1\\./g;	#\
		      $stp_spec =~ s/\*/.*/g;	#\
		      $stp_spec =~ s/([^\(])\?/$1./g;	#\
		      $stp_spec .= "(\\?=)?\$" unless $stp_spec =~ /\$/;	#\
		      warn "Checking against \"$stp_spec\"\n" if $ENV{"DEBUG"};	#\
		      if ($filen =~ /^${stp_spec}/i) {	#\
			warn " Stripped document \"$filen\".\n";	#\
			$stripped = 1;	#\
			print "Content-Type: TEXT/PLAIN;\n";	#\
			print "$XCS REPORT: Microsoft attachment \"$filen\" stripped\n";	#\
			print "Content-Description: SECURITY NOTICE\n\n";	#\
			print $ENV{"STRIPPED_WARNING"};	#\
			print "Filename: $filen\n\n";	#\
			print "More headers follow:\n\n" unless $pastmsghdr;	#\
			$_ = $dfrhdr = $hdrtxt = "";	#\
			$strip_attachment = 1;	#\
			$inmimehdr = 0;	#\
			last;	#\
		      }	#\
		    }	#\
		    close(STRIPPED);	#\
		  } else {	#\
		    warn " Unable to open stripped-executables file \"$specf\".\n";	#\
		  }	#\
		}	#\
		if (!$poisoned && !$stripped && ($specf = $ENV{"POISONED_EXECUTABLES"})) {	#\
		  if (open(POISONED,$specf)) {	#\
		    warn "Checking document \"$filen\" for poisoning.\n";	#\
		    while (chomp($psn_spec = <POISONED>)) {	#\
		      $psn_spec =~ s/^\s+//g;	#\
		      $psn_spec =~ s/\s.*$//g;	#\
		      next unless $psn_spec;	#\
		      $psn_spec =~ s/([^\\])\./$1\\./g;	#\
		      $psn_spec =~ s/\*/.*/g;	#\
		      $psn_spec =~ s/([^\(])\?/$1./g;	#\
		      $psn_spec .= "(\\?=)?\$" unless $psn_spec =~ /\$/;	#\
		      warn "Checking against \"$psn_spec\"\n" if $ENV{"DEBUG"};	#\
		      if ($filen =~ /^${psn_spec}/i) {	#\
			warn " Trapped poisoned document \"$filen\".\n";	#\
			$poisoned = 1;	#\
			print "Content-Type: TEXT/PLAIN;\n";	#\
			print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || 
$ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
			print "$XCS REPORT: Trapped poisoned Microsoft attachment \"$filen\"\n" 
if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
			print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"};	#\
			print "Content-Description: SECURITY WARNING\n\n";	#\
			print $ENV{"POISONED_WARNING"};	#\
			print "Macro Scanner score: 0 (poisoned by name, scan skipped)\n\n";	#\
			last;	#\
		      }	#\
		    }	#\
		    close(POISONED);	#\
		  } else {	#\
		    warn " Unable to open poisoned-executables file \"$specf\".\n";	#\
		  }	#\
		}	#\
		$check_attachment = 1 unless $ENV{"DISABLE_MACRO_CHECK"};	#\
	      }	#\
	      if (($bndry) = $hdrtxt =~ 
/^Content-Type:\s+multipart\/.*\s+boundary\s*=\s*"?([^"]+)"?/i) {	#\
		push @mimebdrs, $mimebdry;	#\
		push @newbdrs, $newbdry;	#\
		push @rawbdrs, $rawbdry;	#\
		push @bdrstoolong, $bdrytoolong;	#\
		push @gotbdrs, $gotbdry;	#\
		push @nullbdrs, $nullbdry;	#\
		$mimebdry = $newbdry = $bndry;	#\
	        $mimebdry = quotemeta($mimebdry);	#\
		$rcrsmsg = $bdrytoolong = $gotbdry = 0;	#\
	      }	#\
	      if ($hdrtxt =~ /^Content-Type:\s+message\/rfc822/i) {	#\
		if (!$inmimehdr) {	#\
		  push @mimebdrs, $mimebdry;	#\
		  push @newbdrs, $newbdry;	#\
		  push @rawbdrs, $rawbdry;	#\
		  push @bdrstoolong, $bdrytoolong;	#\
		  push @gotbdrs, $gotbdry;	#\
		  push @nullbdrs, $nullbdry;	#\
		  $mimebdry = $newbdry = "";	#\
		  $rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0;	#\
		} else {	#\
		  $rcrsmsg = 1;	#\
		}	#\
	      }	#\
	      if ($ENV{"SECURITY_STRIP_MSTNEF"} && $hdrtxt =~ 
/^Content-Type:\s+application\/MS-TNEF/i) {	#\
		print "Content-Type: TEXT/PLAIN;\n";	#\
		print "$XCS REPORT: Stripped MS-TNEF attachment\n";	#\
		print "Content-Description: SECURITY NOTICE\n\n";	#\
		print $ENV{"TNEF_WARNING"};	#\
		$_ = $dfrhdr = $hdrtxt = "";	#\
		$strip_attachment = 1;	#\
		$inmimehdr = 0;	#\
	      }	#\
	      while (($filen) = $hdrtxt =~ 
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.($ENV{"MANGLE_EXTENSIONS"})(\?=)?)"/io) 
{	#\
		$stripped = 0;	#\
		if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"})) {	#\
		  if (open(STRIPPED,$specf)) {	#\
		    warn "Checking \"$filen\" for stripping.\n";	#\
		    while (chomp($stp_spec = <STRIPPED>)) {	#\
		      $stp_spec =~ s/^\s+//g;	#\
		      $stp_spec =~ s/\s.*$//g;	#\
		      next unless $stp_spec;	#\
		      $stp_spec =~ s/([^\\])\./$1\\./g;	#\
		      $stp_spec =~ s/\*/.*/g;	#\
		      $stp_spec =~ s/([^\(])\?/$1./g;	#\
		      $stp_spec .= "(\\?=)?\$" unless $stp_spec =~ /\$/;	#\
		      warn "Checking against \"$stp_spec\"\n" if $ENV{"DEBUG"};	#\
		      if ($filen =~ /^${stp_spec}/i) {	#\
			warn " Stripped executable \"$filen\".\n";	#\
			$stripped = 1;	#\
			print "Content-Type: TEXT/PLAIN;\n";	#\
			print "$XCS REPORT: Attachment \"$filen\" stripped\n";	#\
			print "Content-Description: SECURITY NOTICE\n\n";	#\
			print $ENV{"STRIPPED_WARNING"};	#\
			print "Filename: $filen\n\n";	#\
			print "More headers follow:\n\n" unless $pastmsghdr;	#\
			$_ = $dfrhdr = $hdrtxt = "";	#\
			$strip_attachment = 1;	#\
			$inmimehdr = 0;	#\
			last;	#\
		      }	#\
		    }	#\
		    close(STRIPPED);	#\
		  } else {	#\
		    warn " Unable to open stripped-executables file \"$specf\".\n";	#\
		  }	#\
		}	#\
		if (!$poisoned && !$stripped && ($specf = $ENV{"POISONED_EXECUTABLES"})) {	#\
		  if (open(POISONED,$specf)) {	#\
		    warn "Checking \"$filen\" for poisoning.\n";	#\
		    while (chomp($psn_spec = <POISONED>)) {	#\
		      $psn_spec =~ s/^\s+//g;	#\
		      $psn_spec =~ s/\s.*$//g;	#\
		      next unless $psn_spec;	#\
		      $psn_spec =~ s/([^\\])\./$1\\./g;	#\
		      $psn_spec =~ s/\*/.*/g;	#\
		      $psn_spec =~ s/([^\(])\?/$1./g;	#\
		      $psn_spec .= "(\\?=)?\$" unless $psn_spec =~ /\$/;	#\
		      warn "Checking against \"$psn_spec\"\n" if $ENV{"DEBUG"};	#\
		      if ($filen =~ /^${psn_spec}/i) {	#\
			warn " Trapped poisoned executable \"$filen\".\n";	#\
			$poisoned = 1;	#\
			print "Content-Type: TEXT/PLAIN;\n";	#\
			print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || 
$ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
			print "$XCS REPORT: Trapped poisoned executable \"$filen\"\n" if 
$ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"};	#\
			print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"};	#\
			print "Content-Description: SECURITY WARNING\n\n";	#\
			print $ENV{"POISONED_WARNING"};	#\
			last;	#\
		      }	#\
		    }	#\
		    close(POISONED);	#\
		  } else {	#\
		    warn " Unable to open poisoned-executables file \"$specf\".\n";	#\
		  }	#\
		}	#\
		unless ($stripped) {	#\
		  warn " Mangling executable filename \"$filen\".\n";	#\
		  $newfilen = $filen; $filen = quotemeta($filen);	#\
		  $newfilen =~ s/\.([-a-z0-9{}]+(\?=)?)$/.${$}DEFANGED-$1/i;	#\
		  $hdrtxt =~ s/name\s*=\s*"?${filen}"?/name="$newfilen"/ig;	#\
		  $mangle_mime_type = 1;	#\
		}	#\
	      }	#\
	      if ($mangle_mime_type && $hdrtxt =~ /^Content-Type:\s/i) {	#\
		($oct) = $hdrtxt =~ /^Content-Type:.*\s(\S+\/\S+;?)/i;	#\
		warn " Mangling MIME type \"$oct\".\n";	#\
		unless ($oct =~ /application\/octet-stream;/i) {	#\
		  print "$XCS original Content-Type was $oct\n";	#\
		  $oct = quotemeta($oct);	#\
		  $hdrtxt =~ s/${oct}/application\/octet-stream;/i;	#\
		}	#\
	      }	#\
	      if ($mangle_mime_type && $hdrtxt =~ /\sx-mac-\S+/i) {	#\
		$eudora = "";	#\
		while (($eh) = $hdrtxt =~ /(\sx-mac-\S+\s*=\s*\S+;?)/i) {	#\
		  $eudora .= $eh;	#\
		  $eh = quotemeta($eh);	#\
		  $hdrtxt =~ s/${eh}//i;	#\
		}	#\
		print "$XCS removed$eudora\n";	#\
	      }	#\
	      if (($junk) = $hdrtxt =~ /^Content-Type\s*:\s+(.{128}).{100,}$/i) {	#\
		warn " Truncating long Content-Type header.\n";	#\
		$junk =~ s/"/\\"/g;	#\
		$hdrtxt = "Content-Type: X-BOGUS\/X-BOGUS; originally=\"$junk...\"";	#\
	      } elsif (($junk) = $hdrtxt =~ 
/^Content-Description\s*:\s+(.{128}).{100,}$/i) {	#\
		warn " Truncating long Content-Description header.\n";	#\
		$hdrtxt = "Content-Description: $junk...";	#\
	      } elsif (($junk) = $hdrtxt =~ 
/^Content-[-\w]+\s*:\s+(.{128}).{100,}$/i) {	#\
		warn " Truncating long MIME header.\n";	#\
		$junk =~ s/"/\\"/g;	#\
		$hdrtxt =~ s/^Content-([-\w]+)\s*:.*$/X-Overflow: Content-$1; 
originally="$junk..."/i;	#\
	      }	#\
	      $hdrtxt =~ s/\\/\\"/g;	#\
	      print "$hdrtxt\n" if $hdrtxt;	#\
	      $hdrtxt = "";	#\
	      if (!$inmimehdr) {	#\
		if ($dfrhdr) {	#\
		  if ($mangle_mime_type && $dfrhdr =~ /^Content-Type:\s/i) {	#\
		    ($oct) = $dfrhdr =~ /^Content-Type:[^\n]*\s(\S+\/\S+;?)/i;	#\
		    warn " Mangling MIME type \"$oct\".\n";	#\
		    unless ($oct =~ /application\/octet-stream;/i) {	#\
		      print "$XCS original Content-Type was $oct\n";	#\
		      $oct = quotemeta($oct);	#\
		      $dfrhdr =~ s/${oct}/application\/octet-stream;/i;	#\
		    }	#\
		  }	#\
		  print $dfrhdr; $dfrhdr = "";	#\
		}	#\
		$poisoned = $mangle_mime_type = 0;	#\
	      }	#\
	    }	#\
	    if (/^\S/) {	#\
	      s/\s*\n$//;	#\
	      $hdrtxt = $_;	#\
	      $_ = "";	#\
	      $hdrcnt++;	#\
	    } else {	#\
	      $hdrcnt = 0;	#\
	      $hdrtxt = "";	#\
	    }	#\
	  }	#\
	}	#\
       }	#\
     ' 2>> $LOGFILE"
Checking "cfwindem.exe" for stripping.
  Stripped executable "cfwindem.exe".
procmail: [10606] Tue Feb 12 08:56:17 2002
procmail: No match on "^X-Content-Security: \[xxx\] 
(NOTIFY|QUARANTINE|DISCARD)"
procmail: Assigning "POISONED_EXECUTABLES="
procmail: Assigning "SECURITY_NOTIFY="
procmail: Assigning "SECURITY_NOTIFY_VERBOSE="
procmail: Assigning "SECURITY_NOTIFY_SENDER="
procmail: Assigning "SECURITY_QUARANTINE="
procmail: Assigning "SECRET="
procmail: Assigning 
"PATH=/usr/acct/yyy/bin:/bin:/usr/ucb:/usr/local/bin:/usr/X/bin"
procmail: Locking "/var/mail/yyy.lock"
procmail: Assigning "LASTFOLDER=/var/mail/yyy"
procmail: Opening "/var/mail/yyy"
procmail: Acquiring kernel-lock
procmail: Unlocking "/var/mail/yyy.lock"
procmail: Notified comsat: "yyy at 0:/var/mail/yyy"
  From xxx at xxx.xxx.xxx.xxx  Tue Feb 12 08:56:14 2002
  Subject: test 2
   Folder: /var/mail/yyy						   1409


Thanks,
Mark



More information about the esd-l mailing list