Tom,
there is no need to change ASSP to deal with this exploit - because we are
doing it already.
For example:
An UTF-8 MIME encoded filename is "12\xE2\x80\xAE345.678" - where
"\xE2\x80\xAE" is the UTF-8 encoded U+202E .- the file name without the
U+202E is 12345.678.
It does not matter how the mail is encoded, assp decodes all charsets to
UTF-8.
An UTF-8 enabled mail client or browser would show the file name as
123876.543 (the exploit works) - how ever this is only the browser view
(for humans) not the byte order.
ASSP uses the UTF-8 encoded byte order to find file names and file name
extensions - so assp (Perl) ignores the "\xE2\x80\xAE" and will find the
file name 12345.678 (extension .678) - which is right.
If you want, you can use the following simple code to check this.
# code start
use strict;
use Encode;
my $y = "43"; # the string we search for in $x
my $x = "12"."\xE2\x80\xAE"."34"; # sets $x to 12 + U+202E + 34
Encode::_utf8_on($x); # sets the UTF-8 flag to on for $x - $x is now
known by Perl as a UTF-8 encoded string (assp is doing the same)
print "match\n" if $x =~ /$y/; # print the word 'match' if $y is found in
$x
exit;
# code end
if $y is set to "43" the regex does not match - if $y is set to "34" the
regex matches - this is what we need and want. Also, if $y is set to
"\xE2" the regex does not match, because of the Encode::_utf8_on($x); ,
Perl ignores the string "\xE2\x80\xAE" in $x for the regex.
I've done checks with Perl 5.10.1 , 5.12.4 and 5.14.1 - all with the same
result.
Conclusion: assp will never be affected by any exploit, which is based on
a (human) view resolution of a mail!
Thomas
Von: TR Shaw <ts...@oitc.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 08.09.2011 02:17
Betreff: [Assp-test] File extensions to make them appear safe to
download
See:
http://www.computerworld.com/s/article/9219808/Hackers_flip_characters_to_disguise_malware?source=CTWNLE_nlt_pm_2011-09-07&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29
Can ASSP be updated to deal with the U+202E exploit for file name
filtering?
Thx
Tom
------------------------------------------------------------------------------
Doing More with Less: The Next Generation Virtual Desktop
What are the key obstacles that have prevented many mid-market businesses
from deploying virtual desktops? How do next-generation virtual desktops
provide companies an easier-to-deploy, easier-to-manage and more
affordable
virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Why Cloud-Based Security and Archiving Make Sense
Osterman Research conducted this study that outlines how and why cloud
computing security and archiving is rapidly being adopted across the IT
space for its ease of implementation, lower cost, and increased
reliability. Learn more. http://www.accelacomm.com/jaw/sfnl/114/51425301/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
