Re: [Mimedefang] Danger of .vcs files?
On 30 Sep 2004 at 12:45, Jim McCullars wrote: >Well, at the risk of exposing by backside: > > $bad_exts = '(bat|cmd|com|cpl|exe|hta|lnk|pif|reg|scr|shs|vb|vbe|vbs|zi)'; Ouch...there's far too many that are just as bad as those: .INS: Internet Settings file...can change your IE setup to use a proxy, change to a different dial-out number, etc. .CHM: Compliled Help file...can have scripting, embedded EXEs, and any number of bad things. .ASX, .ASF: These are *script* files for Windows Media player. They normally just load a few .WMV (or similar) files in a row, but they can do a *lot* more. -- Jeff Rife| SPAM bait: | http://www.nabs.net/Cartoons/OverTheHedge/SlowInternet.jpg [EMAIL PROTECTED] | [EMAIL PROTECTED] | ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Danger of .vcs files?
Jason Gurtz wrote: > On 9/30/2004 13:45, Jim McCullars wrote: >> >> On Thu, 30 Sep 2004, Stephen J Smoogen wrote: >> about 10 or so that are commonly used to send mail bombs. .vcf isn't one of them. >>> >>> Which 10? >> >>Well, at the risk of exposing by backside: > > Can't remember what the default are but I've added a couple here and > there. Here's what I use (Perl string concatenated for email > readability): > > $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|' . > 'dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|' . > > 'mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|' . > > 'shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|' . > 'wsh|\{[^\}]+\})'; > Here's mine, since we're sharing The first chunk is the default The second is my additions I'm considering removing jpg and jpeg once either (a) I'm convinced the GDI+ update has been widely applied (b) ClamAV 0.8 is released so I can use their Exploit.JPEG antivirus definition my @bad = qw( ade adp app asd asf asx bas bat chm cmd com cpl crt dll exe fxp hlp hta hto inf ini ins isp js jse lib lnk mdb mde msc msi msp mst ocx pcd pif prg reg scr sct sh shb shs sys url vb vbe vbs vcs vxd wmd wms wmz wsc wsf wsh htm html zip rar sit cpt hqx jpg jpeg ); my $bad_exts = "(" . join("|", @bad, "\{[^\}]+\}") . ")"; It's rather extreme, I know... but I do a pre-scan for known virii with clamav-milter, which catches most of the well-established viruses that have known definitions. Also I have a streamlined unquarantining mechanism that just takes a few seconds for the mail admin. [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
On 9/30/2004 13:45, Jim McCullars wrote: > > On Thu, 30 Sep 2004, Stephen J Smoogen wrote: > >> > about 10 or so that are commonly used to send mail bombs. .vcf isn't one >> > of them. >> >> Which 10? > >Well, at the risk of exposing by backside: Can't remember what the default are but I've added a couple here and there. Here's what I use (Perl string concatenated for email readability): $bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|' . 'dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|' . 'mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|' . 'shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|' . 'wsh|\{[^\}]+\})'; the .lnk are often blocked because users don't know how to properly send a link via email. IE/Lookout attach .lnk files when people drag-drop from the address bar. IE has had some issues in the past with things that get entered via the address bar so I choose to make people display the whole URL instead of obfuscating it in a lame file. Cheers, ~Jason -- ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
On Thu, 30 Sep 2004, Kevin A. McGrail wrote: > Fairly certain .vcs is a vCalendar format for doing calendar and event > exports. It is used by Outlook and Palm as well as Apple's iCal. It is. We have a webmail app that uses vcs to send calendar appointments. I setup mimedefang to only allow vcs attachments internally. In filter_bad_filename: # Do not allow: # - curlies # - bad extensions (possibly with trailing dots) at end or # followed by non-alphanum $re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)'; # allow vcs files on SLU network $revcs = '\.' . 'vcs' . '\.*([^-A-Za-z0-9_.,]|$)'; if ((re_match($entity, $revcs)) && ($RelayAddr =~ /^192\.168\./)) { md_graphdefang_log("allowing .vcs from $RelayAddr"); return 0; } else { return re_match($entity, $re); } ray -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ray DeJean http://www.r-a-y.org Systems EngineerSoutheastern Louisiana University IBM Certified Specialist AIX Administration, AIX Support =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Danger of .vcs files?
Kevin A. McGrail wrote: > Fairly certain .vcs is a vCalendar format for doing calendar and event > exports. It is used by Outlook and Palm as well as Apple's iCal. Yup, you're right - just checked my file types and sure enough .vcs is handled by Outlook. So it is a potential virus risk... it could exploit vulnerabilities in Outlook. [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Danger of .vcs files?
Ben Kamen wrote: > I thought .vcs was for virtual cards? > > i.e. Palm Desktop (the windows program for PalmOS handhelds) and > others, etc..etc... (or was that .vcd?) > > Anyway - just a thought.. > > -Ben That's .vcf ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
On Thu, 30 Sep 2004, Stephen J Smoogen wrote: > > about 10 or so that are commonly used to send mail bombs. .vcf isn't one > > of them. > > > > > > Which 10? Well, at the risk of exposing by backside: $bad_exts = '(bat|cmd|com|cpl|exe|hta|lnk|pif|reg|scr|shs|vb|vbe|vbs|zi)'; Jim McCullars University of Alabama in Huntsville ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
Fairly certain .vcs is a vCalendar format for doing calendar and event exports. It is used by Outlook and Palm as well as Apple's iCal. More info in RFCs 2425, 2526, 2445, 2446 & 2447 -- http://www.imc.org/pdi/ A quick web search and guess what? Microsoft has issued related security patches, see below. Regards, KAM Microsoft issues patch for new Outlook security hole News Story by Jennifer DiSabatino FEBRUARY 23, 2001 (COMPUTERWORLD) - Microsoft Corp. has identified another security hole in its Outlook e-mail software and said a fix is available for the glitch. The software maker yesterday released a patch for its Outlook and Outlook Express clients, following the identification of a hole in the software that could allow hackers to use a vCard to disable Outlook, or run code through Outlook. The vCard attachment is a common way to share address book information. This exploit, like many viruses, will work only if the user opens an infected attachment in an e-mail document. It was reported to Microsoft by Ollie Whitehouse, a British programmer. The patch is available from Microsoft. As always, the company urged users to follow sound security measures, which include not opening unexpected attachments, especially from strangers. However, as evidenced by the spread of the Kournikova virus last week, users are still all too willing to open suspect attachments (see story). According to the Microsoft security advisory, "Outlook Express provides several components that are used both by it and, if installed on the machine, Outlook. One such component, used to process vCards, contains an unchecked buffer." A buffer temporarily stores data in devices or software. Programmers can design buffers to check the size of data entered into them and reject entries that are too long. When they are "unchecked," it means there is no such safeguard, and users can enter any amount of data. In the case of Outlook, the unchecked buffer would allow a malicious user to create a vCard that contains what Microsoft called "specially malformed data." When a recipient opens such a vCard, the data would overflow the available buffer size and crash the e-mail software. "In a more serious case, a malicious user could exploit the unchecked buffer to run unauthorized code on the other user's computer," Microsoft warned. Sara Radicati, president and CEO of The Radicati Group in Palo Alto, Calif., said she hadn't heard that this hole was a problem yet. "This is such a low-level issue . . . it just might not have bubbled up yet," she said. > >>If anyone can tell me what the danger of these files is, > >>I'd appreciate it, then I can decide whether to risk > >>letting them in. > > .vcs does not appear on webopedia's list of known extensions: > > http://www.webopedia.com/quick_ref/fileextensionsv.asp > > > > so it can't be a commonly associated extension. ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
I thought .vcs was for virtual cards? i.e. Palm Desktop (the windows program for PalmOS handhelds) and others, etc..etc... (or was that .vcd?) Anyway - just a thought.. -Ben [EMAIL PROTECTED] wrote: Jim Hatfield wrote: I see that .vcs is listed in filter_bad_filename. One of my users is subscribed to a mailing list and there are often mails to the list with attachments called vcal.vcs. Because we reject these at the gateway, the list management software is getting tetchy and threatening to remove him from the list. If anyone can tell me what the danger of these files is, I'd appreciate it, then I can decide whether to risk letting them in. jim Does the user need to receive the .vcs attachments? If not, why not just quarantine all .vcs attachments rather than bouncing the email. .vcs does not appear on webopedia's list of known extensions: http://www.webopedia.com/quick_ref/fileextensionsv.asp so it can't be a commonly associated extension. [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang -- Ben Kamen - O.D.T, S.P. -- Home: [EMAIL PROTECTED] http://www.benjammin.net Work: [EMAIL PROTECTED] gPG Pub Key - http://www.benjammin.net/www/pages/library * * NOTE: Opinions and Views discussed via email are my own and not that * * of the State of Illinois, University of Illinois or the Illinois Dept * * of Natural Resources. * * ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Danger of .vcs files?
Jim Hatfield wrote: > I see that .vcs is listed in filter_bad_filename. > > One of my users is subscribed to a mailing list and there > are often mails to the list with attachments called vcal.vcs. > Because we reject these at the gateway, the list management > software is getting tetchy and threatening to remove him from the > list. > > If anyone can tell me what the danger of these files is, > I'd appreciate it, then I can decide whether to risk > letting them in. > > jim Does the user need to receive the .vcs attachments? If not, why not just quarantine all .vcs attachments rather than bouncing the email. .vcs does not appear on webopedia's list of known extensions: http://www.webopedia.com/quick_ref/fileextensionsv.asp so it can't be a commonly associated extension. [EMAIL PROTECTED] 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg," ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
Jim McCullars wrote: On Thu, 30 Sep 2004, Jim Hatfield wrote: I see that .vcs is listed in filter_bad_filename. I think David got those extensions from a list that Microsoft published at one time. At my site, I pared the list down considerably, to a list of about 10 or so that are commonly used to send mail bombs. .vcf isn't one of them. Which 10? -- Stephen John Smoogen| CCN-5 Security Team LANL SIRT Team Leader | SMTP: [EMAIL PROTECTED] Los Alamos National Laboratory | Voice: 505.664.0645 Ta-03 SM-1498 MS: B255 DP 10S | FAX: 505.665.7793 Los Alamos, NM 87545| ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Danger of .vcs files?
On Thu, 30 Sep 2004, Jim Hatfield wrote: > I see that .vcs is listed in filter_bad_filename. I think David got those extensions from a list that Microsoft published at one time. At my site, I pared the list down considerably, to a list of about 10 or so that are commonly used to send mail bombs. .vcf isn't one of them. > If anyone can tell me what the danger of these files is, > I'd appreciate it, then I can decide whether to risk > letting them in. The problem is, some file types will execute, rather than launch the application that they are associated with. I just did an experiment by making a copy of Notepad.exe, renaming it to jim.vcf, and launching it. Had this actually launched Notepad, I would say that it would be too risky to let the file type pass. However, it did indeed launch the Windows Address Book (although all the fields were empty). Now while it may be possible to craft a .vcf file that would corrupt WAB and make it do something unintended, it appears that someone cannot just rename a malicious executable to something.vcf and have it run. My $0.02 says to let them in. HTH... Jim McCullars University of Alabama in Huntsville ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang