MIME::Tools Perl module and virus scanners

From: David F. Skoll (dfsat_private)
Date: Mon Jun 03 2002 - 13:19:58 PDT

Next message: david evlis reign: "[DER #11] - Remotey exploitable fmt string bug in squid"

Previous message: securityat_private: "Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext"
Next in thread: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Reply: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Reply: Bennett Todd: "Re: MIME::Tools Perl module and virus scanners"
Reply: David F. Skoll: "Re: MIME::Tools Perl module and virus scanners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Background
----------

MIME::Tools is a very nice Perl module for parsing and constructing
MIME-encoded mail messages.  The latest stable version is 5.411a.

MIME::Tools works very well on valid MIME messages.  However, there
are a number of problems if you use it to implement server-based mail
scanning.

Problems
--------

Problem 1: RFC 2231 encoding not supported.
http://www.ietf.org/rfc/rfc2231.txt specifies (yet another) way to encode
filenames in MIME messages.  MIME::Tools will not correctly
recognize this attachment as "foo.exe":

Content-Disposition: attachment; filename*1="foo."; filename*2="exe"

Problem 2: Rejection of "obvious" interpretation of malformed MIME.
The following MIME header is valid:

Content-Type: application/octet-stream; name="bad boy.exe"

But this header is not:

Content-Type: application/octet-stream; name=bad boy.exe

MIME::Tools interprets the name field as "bad" in this case, and
throws away the " boy.exe" part.  Unfortunately, most Windoze mail
clients make the "obvious" interpretation and recognize the name
as "bad boy.exe"

Problem 3: Incorrect concatenation of encoded MIME words.
MIME::Tools does not remove the space from this example:

	(=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?=)

to yield (ab); instead, it yields "(a b)"  Some MUA's use encoded MIME
words in the Content-Type or Content-Disposition fields.  Although
this is specifically disallowed by RFC 2047, again, some Windoze mail
clients may make the "obvious" interpretation and decode the words.

Summary
-------

Problems 1 and 3 are real deficiencies in MIME::Tools.  Problem 2 is
not a deficiency in MIME::Tools itself, but that's cold comfort if a
virus slips through your server-based scanner.

Patch
-----

A patch which corrects problems 1-3 and does not break any MIME::Tools
regression tests is at
http://www.roaringpenguin.com/mimedefang/mime-tools-patch.txt

Caveat
------

I make no guarantee that the above patch will catch all forms of
malformed MIME which could be interpreted differently by an MUA.
In fact, I'm willing to bet there are lots of ways to evade server-based
scanners using MIME::Tools or practically any other MIME scanner.

Users of MIMEDefang
-------------------

If you use MIMEDefang (which uses MIME::Tools), you may want to
unconditionally call action_rebuild in filter_begin().  This forces
the MIME message to be rebuilt by MIME::Tools, resulting in a valid
MIME message.  This should guarantee that the MUA interprets the message
exactly as MIME::Tools did, but it may introduce unacceptable processing
overhead.

Vendor Status
-------------

eryqat_private contacted 30 May; no response yet.

--
David F. Skoll

Next message: david evlis reign: "[DER #11] - Remotey exploitable fmt string bug in squid"
Previous message: securityat_private: "Security Update: [CSSA-2002-024.0] Volution Manager: Directory Administrator password in cleartext"
Next in thread: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Reply: Wietse Venema: "Re: MIME::Tools Perl module and virus scanners"
Reply: Bennett Todd: "Re: MIME::Tools Perl module and virus scanners"
Reply: David F. Skoll: "Re: MIME::Tools Perl module and virus scanners"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 18:39:50 PDT