lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2003 22:03:26 +0300
From: Liviu Daia <Liviu.Daia@...r.ro>
To: bugtraq@...urityfocus.com
Subject: Re: Ruh-Roh SOBIG.G?


On 25 September 2003, Dragos Ruiu <dr@....net> wrote:
[...]
> SOBIG Filter instructions for Postfix 
> ---------------------------------------
> (compile with pcre - this is in the OpenBSD Ports tree already)
> 
> 1) Add this to main.cf:
> mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
> 
> 2) Then put this in /etc/postfix/mime_header_checks.regexp:
> /filename=\"?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\"?$/
>    REJECT For security reasons we reject attachments of this type
[...]

    Your recipe uses a regexp map, not a pcre one, it's very slow
(especially on OpenBSD), and incomplete.  Here's a better one:

(1) Make sure you have Postfix 2.0.x, compiled with support for PCRE.
    Run this to find out:

	postconf -d mail_version
	postconf -m | grep pcre

(2) Add this to main.cf:

	mime_header_checks = pcre:/etc/postfix/mime_header_checks.pcre

(3) Put this in /etc/postfix/mime_header_checks.pcre (the last pattern
    is supposed to catch CLSID extensions):


/^Content-(?:Disposition:\s+attachment;|Type:).*\b(?:file)?name\s*=.*\.(?:
	ad[ep]							|
	asd							|
	ba[st]							|
	chm							|
	cmd							|
	com(?=$|")						|
	cpl							|
	crt							|
	dll							|
	eml							|
	exe							|
	hlp							|
	hta							|
	in[fs]							|
	isp							|
	jse?							|
	lnk							|
	md[betw]						|
	ms[cipt]						|
	nws							|
	ocx							|
	ops							|
	pcd							|
	p[ir]f							|
	reg							|
	sc[frt]							|
	sh[bsm]							|
	swf							|
	url							|
	vb[esx]?						|
	vxd							|
	ws[cfh]							|
	\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}
		)\b/x		REJECT Windows executables not allowed


(4) Add more extensions you feel you should block;
(5) Run:

	postfix reload

    Change REJECT above to DISCARD at attack peak times, to save other
machines the trouble of bouncing your rejects.  Of course, collateral
damages of the discards are to be expected too.

    Regards,

    Liviu Daia

-- 
Dr. Liviu Daia               e-mail:   Liviu.Daia@...r.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc


Powered by blists - more mailing lists