Home page logo

bugtraq logo Bugtraq mailing list archives

Why black list based extension filtering won't work (Was: Re: MIME::Tools Perl module and virus scanners)
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Thu, 13 Jun 2002 11:17:23 +0200

"David F. Skoll" wrote:

MIMEDefang itself doesn't "know" anything, but the sample filter which
comes with it will correctly (?!) reject ".exe." as well as ".exe"

[huge snip]

    # Bad extensions
    $bad_exts ='(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|

I just feel I have to add this: blocking "known bad" extensions won't
buy much. Have you tried creating a word document, e.g. "asdf.doc"
and then change the extension to, for instance, "asdf.unkext"?

It'll happily launch MS word without asking for an app to run.
Further verify this buy renaming "qwer.xls" to "qwer.unkext".
Clicking _that_ document will indeed launch MS excel, again without
asking for an app to run.

The windows shell apparently has hooks for checking the _file contents_ 
for associations when they don't recognize the file extension. The
office suite makes use of this. (I believe this was mentioned here
on bugtraq a couple of months ago.)

So, the only approach that really works is a white-list approach.
And add to that, a white-list that ONLY lets through extensions
that you KNOW that the vast majority of the installed user base 
has associated handlers for. Removing the handler for ".zip" (or
not installing winzip) and clicking on "renamedexcelsheet.zip"
will, of course, launch Excel.

/Mikael Olsson

Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

"Senex semper diu dormit"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]