How safe is this: Automatic scanning of mails for virus (LONG)

[Mogens Kjaer]

(Sorry for posting "source" code in this group, but our
ftp server is not running yet).

I would like your comments about this setup. We have not got our
internet connection yet, so I havn't tested this code IRL yet.

This posting has two attachments: 1. my sendmail.cf file, 2. a
helper script file, to be put in /usr/local/etc.

The sendmail.cf file has been modified so that all mail (incoming
as well as outgoing) is sent to the script file
/usr/local/etc/scanmails.

This script file expands mime attachments into individual files.
binhex encoded files are decoded using xbin. uuencoded files are
decoded using uudecode. tar and zip files are expanded recursively.

McAfee's uvscan (for Linux) is called upon the expanded files.
If a virus is found, the mail is send to postmaster, else it is
delivered as usual by sendmail by appending ".virscanned" to the
hostname.

An evaluation version of uvscan can be found at:
ftp://ftp.mcafee.com/pub/antivirus/english/unix/linux/vlnx101e.tar

Care has been taken during the unpacking of the mail attachments
so that you can't send a mail containing a file that is untar'ed
or uudecoded into e.g. /home/joeuser/.rhosts etc. etc.

This is basically my first try to hack into sendmail.cf, so I might
have missed a lot of important details, please let me know!

The hack into sendmail.cf was inspired by a posting of how to
strip headers from mails, by Andreas Rektenwald, a...@xsoft.co.at

- If this works OK, this is actually quite a cheap way of scanning
mails automatically: You have 30 days evaluation of the uvscan
program, after that you have to buy a license which I believe costs
200 US$.

Mogens

--
Mogens Kjaer, Carlsberg Laboratory, Dept. of Chemistry
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: car...@unidhp.uni-c.dk Homepage: http://unidhp.uni-c.dk/~carlmk

[Valdis Kletnieks]

Mogens Kjaer <car...@unidhp.uni-c.dk> writes:

> I would like your comments about this setup. We have not got our
> internet connection yet, so I havn't tested this code IRL yet.

> Care has been taken during the unpacking of the mail attachments

> so that you can't send a mail containing a file that is untar'ed
> or uudecoded into e.g. /home/joeuser/.rhosts etc. etc.

> tar xvf $E >>$tmpdir/logfile 2>&1

Umm.. you *did* know that a tar file can have absolute pathnames,
didn't you? Consider the effect of somebody creating a tarfile of
a few files, including /etc/passwd, and then you tar xvf it. Whoops,
they just hacked into your system.

Also, your scheme as written will *NOT* stop a determined hacker from
introducing a virus. The biggest hole that I see offhand is you do *no*
checking for message/partial, so I could easily trojan it by sending
you an infected file split into 30 or 40 pieces, all of which individually
pass through the uvscan program.

Also, let's *THINK* for a moment. What are we trying to *accomplish*?

Sendmail runs on a Unix machine. How many *IN THE WILD* *UNIX* viruses
are there? Hmm.. Not many.. Anybody ever *seen* one? OK, so we aren't
worried about our Unix server being infected by a virus (although I *would*
check that you can't get trojan horsed, but that's a DIFFERENT issue).

OK.. Next hypothesis: You're worried about your POP users getting mail
that contains a virus and downloading it, infecting their machine. Well,
why don't you install a good anti-virus program *ON THEIR MACHINE*, and close
both THIS hole, and all the *other* holes (FTP, WWW, sneakernet floppy)?

All in all, it looks like a complicated solution in search of a problem.

[Mogens Kjaer]

Valdis Kletnieks wrote:

>
> Mogens Kjaer <car...@unidhp.uni-c.dk> writes:
>
> > I would like your comments about this setup. We have not got our
> > internet connection yet, so I havn't tested this code IRL yet.
>

> > Care has been taken during the unpacking of the mail attachments
> > so that you can't send a mail containing a file that is untar'ed
> > or uudecoded into e.g. /home/joeuser/.rhosts etc. etc.
>

> > tar xvf $E >>$tmpdir/logfile 2>&1
>
> Umm.. you *did* know that a tar file can have absolute pathnames,
> didn't you? Consider the effect of somebody creating a tarfile of
> a few files, including /etc/passwd, and then you tar xvf it. Whoops,
> they just hacked into your system.

I >DID< think of this: The tar command on Linux by default strips off
the leading slash. One has to add the flag "-P":

-P, --absolute-paths
don't strip leading `/'s from file names

to get it to restore absolute path names: Obviously I didn't add this
flag.

>
> Also, your scheme as written will *NOT* stop a determined hacker from
> introducing a virus. The biggest hole that I see offhand is you do *no*
> checking for message/partial, so I could easily trojan it by sending
> you an infected file split into 30 or 40 pieces, all of which individually
> pass through the uvscan program.

No, I'm not so worried about the determined hacker. It's the Joe
User-that-doesn't-quite-
know-what-he's-doing on the inside that worries me: Some mail programs
immediately
opens Microsoft Word when you click on an attached Word file - this
worries me, as
people don't want to disable macros in Word.

>
> Also, let's *THINK* for a moment. What are we trying to *accomplish*?
>
> Sendmail runs on a Unix machine. How many *IN THE WILD* *UNIX* viruses
> are there? Hmm.. Not many.. Anybody ever *seen* one? OK, so we aren't
> worried about our Unix server being infected by a virus (although I *would*
> check that you can't get trojan horsed, but that's a DIFFERENT issue).

uvscan primarily checks for DOS virus, just like the ordinary DOS virus
checker. I should have emphazised my scenario in my posting: We have
one machine running linux: Our mail server, and about 100 PC's running
win95/win311, pop clients, and Microsoft Office.

>
> OK.. Next hypothesis: You're worried about your POP users getting mail
> that contains a virus and downloading it, infecting their machine. Well,
> why don't you install a good anti-virus program *ON THEIR MACHINE*, and close
> both THIS hole, and all the *other* holes (FTP, WWW, sneakernet floppy)?

The main difference between getting a virus by mail and by FTP is, that
people
that download programs by FTP generally know what they're doing, whereas
people reading mail may not realize the potential danger in the macro
virus.

Also in this case, I need one license of a virus checker (as it only
runs
on one machine) to check the mails of 100 people.

>
> All in all, it looks like a complicated solution in search of a problem.

I totally disagree about this. I think we will see more and more macro
virus.

People that download an exe file generally know that there is a
potential danger
of a virus infection (at least they should), people (secretaries,
students, bosses, etc.) that just read mail
may not be aware of this danger.