From owner-freebsd-security Wed Jul 29 14:51:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA08504 for freebsd-security-outgoing; Wed, 29 Jul 1998 14:51:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from notabene.zer0.org (sac-port55.jps.net [209.63.114.210]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA08492 for ; Wed, 29 Jul 1998 14:51:13 -0700 (PDT) (envelope-from gsutter@n1.dyn.ml.org) Received: (from gsutter@localhost) by notabene.zer0.org (8.8.7/8.8.8) id OAA19756; Wed, 29 Jul 1998 14:55:56 -0700 (PDT) (envelope-from gsutter) Message-ID: <19980729145556.C16073@notabene.zer0.org> Date: Wed, 29 Jul 1998 14:55:56 -0700 From: Gregory Sutter To: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: procmail workaround for MIME filename overflow exploit References: <199807291946.NAA14449@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <199807291946.NAA14449@lariat.lariat.org>; from Brett Glass on Wed, Jul 29, 1998 at 01:46:14PM -0600 Organization: Zer0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Jul 29, 1998 at 01:46:14PM -0600, Brett Glass wrote: > John Hardin has just updated his procmail "kit" to shorten long file names > on MIME attachments. This should prevent potential exploits in mail clients > such as Outlook, Outlook Express, Netscape Mail, and possibly Eudora > (there's still some debate about whether Eudora is susceptible). > > John's procmail filter kit can be found at > http://www.wolfenet.com/~jhardin/procmail-kit.html > > You can view his "recipe" for solving the problem at the end of the file > http://www.wolfenet.com/~jhardin/html-trap.procmail Brett, John's recipe has the same problem as Andrew McNaughton's proposed solution -- it invokes perl. That's a lot of overhead to process a mail message, when procmail can do it just fine. Out of several recipes suggested on the procmail mailing list, David Tamkin's is the best: :0fhw # sixty-three dots in second condition * ^Content-Disposition:(.*\>)?filename="\/[^"]+ * MATCH ?? ^^\/............................................................... | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" That recipe will truncate any filenames longer than 63 characters to 63 chars. If you wish to specially denote offending messages, you can change the action line to: | formail -I "Content-Disposition: attachment; filename=\"$MATCH\"" \ -i "X-Security-Modification: Truncated long filename" Regards, Greg -- Gregory S. Sutter Bureaucrats cut red tape -- lengthwise. mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message