Less dangerous forms of these attacks can automatically cause the recipient's computer to display some content the attacker wishes, such as automatically opening an advertising or pornography web page when the message is opened, or perform a Denial-of-Service attack on the recipient's computer through code that freezes or crashes the browser or the entire computer.
The simplest way to completely avoid such attacks is to not use a web browser or HTML-enabled email client to read your email. Since many of these attacks do not depend on bugs in the email client software, they cannot be prevented through patches to the email client. If you use a web browser or HTML-aware email client, you will be vulnerable to these kinds of attacks.
Also, as some of these attack depend on the email client being able to execute scripted HTML rather than depending on the weaknesses of any particular operating system, these attacks can be cross-platform. An HTML-enabled email client on a Macintosh is just as vulnerable to active-HTML email attacks as an HTML-enabled email client on Windows or Unix. The vulnerabilty will vary from system to system based on the email client rather than the operating system.
Switching to a non-HTML-aware email client is not a realistic option for many people. An alternative is to filter out or alter the offending HTML or script code before the email client gets a chance to execute it. It may also be possible to configure your email client to turn off the interpretation of script code. See your program documentation for details. Turning off scripting in your email client is strongly recommended. There is very little reason to support scripted email messages.
Microsoft Outlook users should visit this page that describes tightening down Outlook's security settings.
The recently-announced Outlook email worms are an example of this attack. See the Bugtraq Vulnerability database for more details.
Note that this is the result of a bug in the program under attack. A properly written email client will not allow random strangers to run programs on your computer without your consent. Programs subject to buffer overflows are incorrectly written and must be patched to permanently correct the problem.
Buffer overflows in mail programs occur in handling the message headers and attachment headers, which is information the email client needs to process in order to know details about the message and what to do with it. The text in the body of the message, which is simply displayed on the screen and which is expected to be a large amount of text, is not used as the vehicle for buffer overflow attacks.
The recently-announced overflow bugs in Outlook, Outlook Express and Netscape Mail are examples of this. Patches for Outlook are available via the Microsoft security site.
The message headers and attachment headers can be preprocessed by the mail server to limit their lengths to safe values. Doing this will prevent them being used to attack the email client.
These attacks are usually used to breach security by getting a trusted user to run a program that grants access to an untrusted user, or to cause damage such as attempting to erase all of the files on the victim's hard disk. Trojan Horses can also act to steal information or resources or implement a distributed attack, such as by distributing a program that attempts to steal passwords or other security information, or a program that mails itself around (a "worm") and also mailbombs a target (a worm with an attitude :).
For this attack to succeed the victim must take action to run the program that they've received. The attacker can use various "social engineering" methods to convince the victim to run the program; for example, the program may be disguised as a love letter or joke list, with the filename specially constructed to take advantage of Windows' propensity for hiding important information from the user.
This attack can be avoided simply by not running programs that have been received in email until they have been checked over, even if the program seems to be harmless and especially if it comes from someone you don't know well and trust.
Except...
Bugs in the email client or poor design may allow the attack message to automatically execute the Trojan Horse attachment without user intervention, through either the use of active HTML, scripting or buffer overflow exploits. This is an extremely dangerous scenario and HAS BEEN DEMONSTRATED in a public computer security forum.
In an attempt to prevent this, the names of executable file attachments can be changed in such a way that the operating system no longer thinks they are executable (for example, by changing "EXPLOIT.EXE" to "EXPLOIT.DEFANGED-EXE"). This will force the user to save and rename the file before it can be executed (giving them a chance to think about whether it should be executed), and it reduces the possibility that other exploits in the same message will be able to find and execute the Trojan Horse program automatically (since the name has changed).
In addition, for known Trojan Horse programs the attachment format itself can be mangled in such a way that the email client no longer sees the attachment as an attachment. This will force the user to contact technical support to retrieve the attachment, and gives the system administrator a chance to examine it.
Unmangling a mangled attachment is fairly straightforward for the administrator. In mangling the attachment the original MIME attachment header is shifted down and an attack warning attachment header is inserted. No information is deleted or altered. To reattach the attachment simply edit the mailbox file with a text editor and delete the attack warning header, returning the original attachment header to its original location.
Here is a list of recent Trojan Horse executables and documents, gleaned from bugtraq and Usenet newsgroup warnings and antivirus vendor advisories:
*.chm
*.hlp
*.hta
*.js
*.shb
*.shs
*.vb
*.vbe
*.vbs
*.wsf
*.wsh
*.[a-z0-9][a-z0-9][a-z0-9].[a-z0-9]+ (to catch "double-extension" attachments)
IBMls.exe
aol4free.com
babylonia.exe
badass.exe
buhh.exe
chocolate.exe
compu_ma.exe
happy99.exe
i-watch-u.exe
ie0199.exe
jesus.exe
list.doc
path.xls
photos17.exe
picture.exe
pretty park.exe
prettypark.exe
serialz.hlp
setup.exe
story.doc
suppl.doc
surprise!.exe
x-mas.exe
y2kcount.exe
yahoo.exe
zipped_files.exe
Another channel for Trojan Horse attacks is via a data file for a program that provides a macro (programming) language, for example, modern high-powered word processors, spreadsheets, and user database tools.
If you cannot simply discard attachments that may put you at risk, it is recommended that you install anti-virus software (which detects and disables macro-language Trojan Horses) and that you always open data file attachments in the program's "do not automatically execute macros" mode (for example, by holding down the [SHIFT] key when double-clicking the attachment).
Also: if your system administrator (or someone claiming to be your system administrator) emails you a program and asks you to run it, immediately become very suspicious and verify the origin of the email by contacting your administrator directly.
Many programs running under Unix and similar operating systems support the ability to embed short shell scripts (sequences of commands similar to batch files under DOS) in their configuration files. This is a common way to allow the flexible extension of their capabilities.
Some mail-processing programs improperly extend this support for embedded shell commands to the messages they are processing. Generally this capability is included by mistake, by calling a shell script taken from the configuration file to process the text of some headers. If the header is specially-formatted and contains shell commands, it is possible that those shell commands will get executed as well. This can be prevented by the program scanning the header text for the special formatting and changing that formatting before it gets passed to the shell for further processing.
Since the formatting needed to embed a shell script in an email header is fairly special, it's fairly easy to detect and alter.
Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds. If you're familiar with the concept of "rules" as provided in many major user mail clients (such as the cc:Mail client), then you are already familiar with the concept of automatically processing email messages based on their content.
This page provides you with a procmail ruleset specifically designed to "sanitize" your email against these attacks.
A tarball of the ruleset and some other files is available at:
[
FTP Mirror 1 (USA: UT)
|
FTP Mirror 2 (Europe: NL)
|
HTTP Mirror 1 (USA: WA)
]
If you are downloading this on a Windows system for use on a Unix or Linux system, make sure that you take care of text-file conversion - the script will not run properly with DOS end-of-line characters in it. One way to do this is to open the sanitizer script in vi and type:
:textmode on
:textmode off
:wq
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=10/30, R=20/40,
A=procmail -Y -a $h -d $u
# Uncomment the following line to troubleshoot problems
# VERBOSE=YES
DROPPRIVS=YES
LOGFILE=$HOME/procmail.log
PATH="/usr/bin:$PATH"
SHELL=/bin/sh
POISONED_EXECUTABLES=/etc/procmail/poisoned
SECURITY_NOTIFY="postmaster, security-dude"
SECURITY_NOTIFY_VERBOSE="virus-checker"
SECURITY_NOTIFY_SENDER=""
# or
SECURITY_NOTIFY_SENDER=/etc/procmail/local-email-security-policy.txt
# this file must already exist, with proper permissions:
SECURITY_QUARANTINE=/var/spool/mail/security
POISONED_SCORE=25
SCORE_HISTORY=/var/log/macro-scanner-scores
SECRET="CHANGE THIS"
# Finished setting up, now run the sanitizer...
INCLUDERC=/etc/procmail/html-trap.procmail
# Reset some things to avoid leaking info to
# the users...
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_NOTIFY_SENDER=
SECURITY_QUARANTINE=
SECRET=
Of course, if you've already got an /etc/procmailrc file you'll have to incorporate the INCLUDERC=/etc/procmail/html-trap.procmail call into what's already there.Notes about local policy:
This will create a file named procmail.log in the home directory of any user who receives mail. Your users should be instructed to periodically review and delete this file, or an administrative daemon (e.g. logrotate) should be set up to periodically collect statistics and delete the files or warn the user to do so. If you don't care to log the sanitizing messages and possible exploit warnings, then change the logfile line to:
LOGFILE=/dev/nullNote that the DROPPRIVS at the beginning means the log file must be writable by the recipient.
You may override the default list of executable extensions by setting MANGLE_EXTENSIONS. The default list is:
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|do[ct]|xl[sw]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[be]|ms[ip]|reg|asd'Note that what you specify completely replaces the default list, so, for example, if you don't want to mangle .EXE files for some reason, you'd specify:MANGLE_EXTENSIONS='html?|com|cmd|bat|pif|sc[rt]|lnk|do[ct]|xl[sw]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[be]|ms[ip]|reg|asd'This can also be used to customize the sanitizer on a by-sender or by-recipient basis. For example, if <fnord@example.com> has a legitimate reason to send you .EXE attachments, you might do something like this before calling the sanitizer::0This sort of thing can become arbitratrily complex.
* ^From:.*<fnord@example.com>
{
MANGLE_EXTENSIONS='html?|com|cmd|bat|pif|sc[rt]|lnk|do[ct]|xl[sw]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[be]|ms[ip]|reg|asd'
}
If you don't want to mangle document filenames, try this:MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[be]|ms[ip]|reg|asd'They will still be scanned for poisonous macros and quarantined if appropriate, but they will not be checked against the poisoned executables list (see below).Note that the MANGLE_EXTENSIONS settings you enter must all be on one line.
If you wish to block specific executable and document attachments, create a text file containing one filename or filespec per line, with no comments or leading spaces, permissions rw-r--r--, and set the variable POISONED_EXECUTABLES to point at that file before calling html-trap.procmail. See above for a recommended list of filenames of known trojans. The names in this list are not case-sensitive and wildcards may be used. For example:
*.htaNote that only extensions in the MANGLE_EXTENSIONS list are compared against the poisoned executables file. Omitting .EXE from MANGLE_EXTENSIONS means you will not be able to poison any .EXE attachments. This is a design weakness in the current sanitizer.
*.vbs
*.chm
happy??.exe
happy[0-9]+.exe
If you wish to be notified when the filter traps poisoned attachments, set SECURITY_NOTIFY and/or SECURITY_NOTIFY_VERBOSE to a comma-delimited list of email addresses to notify. The SECURITY_NOTIFY_VERBOSE recipients will receive a full copy of the message, the SECURITY_NOTIFY recipents will only receive the headers.
If SECURITY_NOTIFY or SECURITY_NOTIFY_VERBOSE are set, then the message sender may also be notified of the message being trapped. To do this, set SECURITY_NOTIFY_SENDER to any value. If you wish to override the simple default message, set SECURITY_NOTIFY_SENDER to point at a text file and that text file will be included as the body of the message - I recommend you explain site policy there if you are blocking attachments by wildcard. If SECURITY_NOTIFY_SENDER is set but not pointing at a file, a simple default message will be sent. NOTE: Be careful that you set it to something that is NOT a file if you don't want to override the default message. "SECURITY_NOTIFY_SENDER=/etc/passwd", for example, would be bad. "SECURITY_NOTIFY_SENDER=YES" is probably safe. If you do not want to send a notification reply, you may want to set it explicitly to empty ("") to avoid any inherited value.
If you wish to quarantine poisoned messages, set SECURITY_QUARANTINE to the file you wish to save the message in. This will prevent delivery to the original addressees. It is suggested that you set SECURITY_NOTIFY if you set SECURITY_QUARANTINE as this will remind you to check the quarantine file. If for any reason the message cannot be quarantined it will be bounced and the SECURITY_NOTIFY list will be notified. If you want the (mangled) message to be delivered instead of bounced, set SECURITY_QUARANTINE_OPTIONAL to any value. The SECURITY_QUARANTINE file must already exist - the sanitizer cannot reliably create it on-the-fly.
Note that the DROPPRIVS at the beginning means that the security quarantine file must be writable by users: access permissions on the quarantine file must be -rw--w--w-. If this is a problem, you may want to try setting the quarantine filename to /dev/null and rely on SECURITY_NOTIFY_VERBOSE to keep a copy of the original message.
The sanitizer implements a scanner which checks Microsoft document and worksheet attachments for macros that appear to be trying to do dangerous things. Depending on what the macros in a document or worksheet try to do, you may see false positives (safe documents being marked as dangerous). The score at which an attachment is considered "poisoned" may be set via POISONED_SCORE. If not given, it defaults to 25. The minimum POISONED_SCORE is 5.
It appears that many virus scanners do not actually delete evil macros; instead, they are mangled enough to disable them and are left in place. The sanitizer will very likely detect enough of these fragments to consider the document as still infected. If this happens, suggest to the sender of the document that they save the document in a format that does not support macros at all, such as Rich Text (RTF).
If you wish to completely disable macro scanning, set DISABLE_MACRO_CHECK to any value. If you wish to scan and save the scores to do profiling but not mark any attachments as "poisoned", you can either set SCORE_ONLY to any value (not recommended), or set POISONED_SCORE to a very high value (100-200 is recommended - this will trap currently known exploits while giving you a chance to profile). Set SCORE_HISTORY to the name of the file to save scores in (with the same DROPPRIVS caveats as the other log files).
All of these site policy customizations must be made in the procmail script that calls the sanitizer, before the sanitizer is called, or they will have no effect on the sanitizer's behavior.
Suggestions for what to consider dangerous in a macro are welcome, as are samples of infected documents.
|
The
current version of the html-trap.procmail ruleset is:
1.117
It is recommended you update your copy if your version is older, as bugfixes and filtering for newer exploits will have been added. An announce list for email security issues has been set up. It will primarily carry information on new exploits and updates of the sanitizer. To subscribe, send a message with the subject "subscribe" to esa-l-request@spconnect.com. This page is now being tracked by the Daily Diffs service. |
08/08/00 D'OH! Left in a debugging trap. Update to 1.117 and prune your logfiles. Sorry.
08/04/00 Okay, don't trigger the Excessively Long Header trap until the header exceeds 250 characters. Added asd to the default MANGLE_EXTENSIONS. If you are overriding the default list you should add it to your custom list. Fixed a problem where it was possible for the sanitizer to overlook every other attachment in a series of document attachments. Added clearing of the MIME content type if the attachment filename gets mangled, to prevent the mail program from figuring out what program to run even though the filename is mangled. For the same reason, drop x-mac-* clauses that Eudora uses to indicate the file type and restore the filename extension.
07/26/00 Bugfix in NOTIFY SENDER.
07/23/00
Added checks for certain excessively long standard headers, to address
the MS Outlook header buffer-overflow bug; previously only
MIME-related headers were length-limited, and only in MIME messages.
Disabled sanitizing of encrypted/signed messages; changing the body of
such a message breaks the signature, so there's no good way to
sanitize it.
Moved DROPPRIVS=YES into the sanitizer itself to avoid configuration
errors - this may break gateway use, watch it closely.
Enabled scanning of PowerPoint files, which weren't being scanned due
to an oversight (D'oh!).
Improved handling of RFC822 comments embedded in unquoted attachment
filenames.
Improved handling of filenames containing international characters.
Added a debugging mode - if you want to see the poisoned filespecs it
is comparing attachment names to, define $DEBUG to be anything.
Improved loop-prevention in notification messages; if you want to secure
your system against someone forging the X-Loop: headers in an attempt to
suppress attack notification messages, define $SECRET to be a short string
of random text.
Given the severity of the Outlook BO bug, you probably want to install
the updated sanitizer right away.
05/18/00 (Announcement here delayed, sorry)
Okay, it's happened. A working demonstration attack that uses a
combination of active-scripted HTML and a scriptable attachment
(in the form of a Microsoft Compiled Help file) to automatically
save and execute an arbitrary program remotely via email
without the user having to double-click on an attachment
has been posted to Bugtraq. This means that, for example, someone
could email you a copy of Back Orifice that would install itself on your
computer the moment you simply previewed the message in your mail client.
Make sure that chm appears in your
MANGLE_EXTENSIONS list and that *.chm is in
your poisoned executables list. You should also visit this
page
that describes tightening down Outlook's security settings.
05/22/00 Added some new executable extensions to MANGLE_EXTENSIONS. See above for the new default. Fixed a bug that prevented macro scanning if document attachments were in MANGLE_EXTENSIONS. Dynamically set LINEBUF so that we're no longer vulnerable to extremely long To: headers.
05/14/00 Fixed a bug in notification. Added error logging on failure to open poisoned spec file.
05/13/00 Made sender notification optional. Added ability to specify executable extensions list in configuration file. No more script updates for new executables! Site-customized executable mangling!
05/12/00 Improved sender notification. Added quarantine reliability assurance (i.e. bounce if quarantine fails).
05/10/00 Added ".vbe" to the executable extensions list. You should add "*.vbe" to your poisoned executables list. Fixed a problem where a message that was *only* a poisoned executable (e.g. no text body at all) wouldn't be quarantined.
05/06/00 Added ".wsf" and ".wsh" to the executable extensions list. Fixed another DoS bug in header fixups. Fixed a missing executable extension in the UUE checker. Added notification of the message sender on hits.
03/26/00 Added ".eml" to the executable extensions list. Dynamic configuration of this soon...
02/01/00 Improved handling of quotes in tag arguments.
01/22/00 Sanitizer now deals with attempted obscuration of tag options with &# and % escapes.
01/14/00 Fixed another DoS bug in certain quoted strings, and generally improved quoted string and wrapped-header handling.
If you get "Word too long" errors, try adding "SHELL=/bin/sh" or "SHELL=/bin/ksh" to /etc/procmailrc just before the call to html-trap.procmail - csh can't handle a command-line argument the size of the Perl script that's in the filter.
Do not put html-trap.procmail into /etc/procmailrcs/ as implied by the procmail man page. You'll get security errors from Perl about -e and setuid scripts if you do this. You may also have problems with filtering mail sent to root for this reason.
It looks like this perl script can be a bit of a memory hog on some systems. If you start getting "Out of memory" errors in your procmail log file, try adding
ulimit -d 15000;just before the perl -p -e in the MIME-sanitizing rule:
:0 fwYou might also have to increase the hard memory limit originally set for sendmail.
| ulimit -d 15000; perl -p -e ' #\
I can be contacted at <jhardin@wolfenet.com> - you could also visit my home page.
Best viewed with
Any Browser