OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1998: Re: Long attachment filename exploits: a procmail filter

Re: Long attachment filename exploits: a procmail filter

Brett Glass (brettLARIAT.ORG)
Wed, 29 Jul 1998 20:37:30 -0600

This recipe is a great start! However, there are a few potential improvements.

First, it doesn't recognize tabs as whitespace or handle optional whitespace
in a few places where MIME would allow it.

Second, it invokes Perl on any message with a MIME attachment, which could
slow
the mail server greatly. It would be preferable to detect the exploit in
procmail
and only invoke Perl to "cleanse" the message if that were necessary.
Alternatively,
it could redirect the mail to the postmaster so he or she would know that
users were
under attack.

Finally, there are other possible exploits, like a very long content type,
that
might also lead to buffer oveflows in mail clients. These should be checked
too.

Can people suggest improvements to John's recipes that solve these
problems? Greg
Sutter and Chris Lindsey have both come up with patterns that do more of the
matching within procmail, but they still need a little refinement.

In any event, this is a great start. It's fantastic that someone who had
most of
the needed recipe already written was on the list.... This is what's great
about
the Net!

--Brett Glass

At 11:33 AM 7/29/98 -0700, John D. Hardin wrote:

>A procmail recipe that will (hopefully) prevent the long-filename problems
>in various mailers is available at:
>
>    http://www.wolfenet.com/~jhardin/procmail-kit.html
>
>Comments are solicited.
>
>--
> John Hardin KA7OHZ                               jhardinwolfenet.com
> pgpk -a finger://gonzo.wolfenet.com/jhardin    PGP key ID: 0x41EA94F5
> PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76
>-----------------------------------------------------------------------
>  Your mouse has moved. Windows NT must be restarted for the change
>  to take effect. Reboot now?  [ OK ]
>-----------------------------------------------------------------------
>   88 days until Daylight Savings Time ends
>