[Esd-l] Re: [Esa-l] Sanitizer rule for Novarg .ZIP attack

John D. Hardin jhardin at impsec.org
Wed Jan 28 20:55:48 PST 2004


On Thu, 29 Jan 2004, Torkil Zachariassen wrote:

> I did not update procmailrc, but instead added a
> 
>   *.zip
> 
> to /etc/procmail/poisoned-files. Sorry.

That won't work unless you also add "zip" to your mangled extensions
list.

> Yes - this is paranoia, but maintaining the 
> 
>  *"?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
>  "?(document|readme|doc|text|file|data|test|message|body)[0-9]*\.zip"?
> 
> lines, looks like a dead cat to me. YMMW.

True. I'm beginning to agree.

I *think* the other parts of the signature are strong enough that it
can be changed to [A-Za-z0-9]+\.zip - unless you are using this in the
part of the world where charset "Windows-1252" is common, in which
case you'll be getting false positives.

PLEASE see the suggested local rules, it contains revisions that
increase reliability. I have also changed it to trigger on all .ZIPs

I am not going to add base64 strings to the signature as novarg-b has
already appeared.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   66 days until the Slovakian Presidential Election



More information about the esd-l mailing list