[Esd-l] Sanitizer and .ZIP files
John D. Hardin
jhardin at impsec.org
Sun Feb 15 22:50:10 PST 2004
Per some prompting from Yves Agostini I have added .ZIP file scanning
to the development sanitizer, and also revamped scanning a bit.
Changes in the development version:
1) The sanitizer now requires MIME::Base64 and File::MkTemp from CPAN.
I've decided that this makes for a slightly smaller script, and
removes the dependence on the mktemp and mimencode programs (which may
be hard to find) in favor of CPAN (which is easy to find).
2) .ZIP file attachments are now "special" in the same way that
Microsoft document attachments are "special". They are subject to
poisoning and stripping, and if present will be scanned (1 layer deep)
for suspicious filenames. However, .ZIP attachments will NOT be
mangled unless you explicitly modify the MANGLE list to include the
ZIP extension. I'm not going to add them to the default MANGLE list.
3) A new filename list has been added to allow separate policies for
.ZIP files. For example, you can set the default .ZIP file policy the
same as your general attachment policy, and add a special policy for
the consultant who sends you zipped .DLL files so that they don't get
4) The only policy for messages with .ZIP file attachments containing
suspicious files is to quarantine them. I feel this is as aggressive
as the sanitizer dares to be, and it will keep zipped-file attacks
away from the end users long enough to develop a specific rule that
discards them if desired.
5) Scanning zip files requires the "unzip" program be available. I
haven't taken a look at the CPAN .ZIP utilities yet, so this may
To control this there are some new variables:
ZIPPED_WARNING - warning text inserted into quarantined messages.
ZIPPED_EXECUTABLES - filename of file containing list of filespecs to
scan .ZIP files for; message is quarantined if there are any matches.
DISABLE_ZIP_SCAN - if set to anything, don't scan .ZIP attachments.
Adventurous souls are invited to try out the development version. It's
beta code, and I recommend trying it out on a test account only!
Comments solicited. I'd especially like to know if we've exceeded the
command-line length limit on HPUX and AIX again. It looks to me like
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
More information about the esd-l