The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Help filtering executables inside ZIP without demime

Discussion in 'Security' started by jayharland, Mar 17, 2017.

  1. jayharland

    jayharland Active Member

    Joined:
    Apr 18, 2014
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    Hey everyone,

    So, like some, I was using a bit of code I actually got from this forum to peek inside zip files and reject ones containing an executable. The script worked great, but sadly, demime was part of it, and that has been depreciated.

    Since then I've been searching for a solution, but my skills in that area are lacking to put it mildly.

    Anyway, on a different forum I found a user asking the same question, someone recommended they use P7Zip to accomplish this.

    First I created an EPEL repository, got P7zip installed and.... that's where I'm stuck. I'm not sure how to incorporate the following bit of code into Exim's configuration to get it working.


    P7ZIP = /usr/local/bin/7z
    BINFORBIDDEN = Windows-executable attachments forbidden
    WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
    COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
    check_rfc2047_length = false
    acl_smtp_mime = acl_check_mime
    begin acl
    acl_check_mime:
    deny message = BINFORBIDDEN
    log_message = forbidden attachment: filename=$mime_filename, \
    content-type=$mime_content_type, recipients=$recipients
    condition = ${if or{\
    {match{$mime_content_type}\
    {(?i)executable|application/x-ace-compressed}}\
    {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
    }}

    deny message = Compressed BINFORBIDDEN
    condition = ${if or{\
    {match{$mime_content_type}{(?i)application/\
    (octet-stream|x(-zip)?-compressed|zip)}}\
    {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
    }}
    condition = ${if <{$message_size}{1500K}}
    decode = default
    log_message = forbidden binary in attachment: filename=$mime_filename, \
    recipients=$recipients
    condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
    {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

    accept

    I understand what the above code is doing, but I'm not sure where to add it, like I said. I thought I'd just drop it into "custom_end_exiscanall" but nope. I obviously don't understand Exim as well as I'd like to, and yet I need this functionality.

    Any help would be appreciated.

    Thanks,

    Jay
     
  2. sktest123

    sktest123 Well-Known Member

    Joined:
    Jan 31, 2017
    Messages:
    69
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    kochin
    cPanel Access Level:
    Root Administrator
  3. jayharland

    jayharland Active Member

    Joined:
    Apr 18, 2014
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    Thanks for the response. That thread was actually the one I was referring to when I said "I was using a bit of code I actually got from this forum" lol. I was able to implement that solution and it worked great for me until Exim updated.

    I will keep searching and working on understanding it all. Thanks again.
     
  4. jayharland

    jayharland Active Member

    Joined:
    Apr 18, 2014
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    Alright, an update to anyone reading this, trying to figure it out for themselves or looking for help.

    The code I pasted above is actually separate pieces of the Exim configuration file:

    This is the only portion I haven't gotten a grip on yet, how to add these variables into Exim's configuration:

    P7ZIP = /usr/local/bin/7z
    BINFORBIDDEN = Windows-executable attachments forbidden
    WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
    COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z

    *If anyone reading can help with just this portion that would be great. What is the best way to add them; using the advanced editor interface (add additional configuration setting) or just open and edit exim.conf and add them there?

    This piece is already defined:

    check_rfc2047_length = false

    This piece needs to be inserted into "acl_smtp_mime" (I believe, haven't tested yet)

    deny message = BINFORBIDDEN
    log_message = forbidden attachment: filename=$mime_filename, \
    content-type=$mime_content_type, recipients=$recipients
    condition = ${if or{\
    {match{$mime_content_type}\
    {(?i)executable|application/x-ace-compressed}}\
    {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
    }}

    deny message = Compressed BINFORBIDDEN
    condition = ${if or{\
    {match{$mime_content_type}{(?i)application/\
    (octet-stream|x(-zip)?-compressed|zip)}}\
    {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
    }}
    condition = ${if <{$message_size}{1500K}}
    decode = default
    log_message = forbidden binary in attachment: filename=$mime_filename, \
    recipients=$recipients
    condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
    {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

    accept
     
  5. jayharland

    jayharland Active Member

    Joined:
    Apr 18, 2014
    Messages:
    30
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Website Owner
    Success! Here is how I got it working:

    1. After P7Zip is installed, go to Exim's Advanced Configuration Editor

    2. Inside the editor, scroll down to where the CONFIG section ends and you should see a blue "Add additional configuration setting"

    3. This is where the variables need to be defined, enter each of them with the corresponding value.

      P7ZIP = /usr/local/bin/7z
      BINFORBIDDEN = Windows-executable attachments forbidden
      WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
      COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
    4. Once all of the variables are entered, click "Add additional configuration setting" one more time and select "acl_smtp_mime" from the drop down. Make the value "acl_check_mime".

      acl_smtp_mime = acl_check_mime
    5. Below that, under "BEGINACL" you can define the acl:

      acl_check_mime:

      deny message = BINFORBIDDEN
      log_message = forbidden attachment: filename=$mime_filename, \
      content-type=$mime_content_type, recipients=$recipients
      condition = ${if or{\
      {match{$mime_content_type}\
      {(?i)executable|application/x-ace-compressed}}\
      {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
      }}

      deny message = Compressed BINFORBIDDEN
      condition = ${if or{\
      {match{$mime_content_type}{(?i)application/\
      (octet-stream|x(-zip)?-compressed|zip)}}\
      {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
      }}
      condition = ${if <{$message_size}{1500K}}
      decode = default
      log_message = forbidden binary in attachment: filename=$mime_filename, \
      recipients=$recipients
      condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
      {\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}

      accept

    6. Save the configuration and try to send someone a zip file containing any of the listed file types.

    This did the trick for me. Hopefully it helps someone else!
     
    Infopro likes this.
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,418
    Likes Received:
    285
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Thanks for updating the thread with your findings. :)
     
  7. julissax

    julissax Registered

    Joined:
    Apr 21, 2014
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    The option for filter rar attachments with binary inside not work. p7zip in centos is not compatible with rar.

    Thanks jayharland . I fix this with the next workaround:

    Code:
    1. Install p7zip with more support files (not rar).
    
    yum install epel-release -y
    yum install p7zip p7zip-plugins -y
    
    2. Install unrar:
    cd /usr/src
    wget http://www.rarlab.com/rar/rarlinux-x64-3.8.0.tar.gz
    tar xzvf rarlinux-x64-3.8.0.tar.gz
    cd rar
    make install
    
    3. Create the next script in server (example: /etc/exim_check_compress.sh):
    #!/bin/bash
    name=$1
    location=$2
    
    EXTENS='.(ad[ep]|asd|ba[st]|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|in[fs]|isp|jse?|jar|lnk|md[bez]|ms[cipt]|ole|ocx|pcd|pif|reg|sc[rt]|sh[sb]|sys|url|vb[es]?|vxd|ws[cfh]|cab)'
    COMPAC='.(zip|rar|7z|arj|bz2|gz|uue|xz|z)'
    
    validityExtension=`echo $name | egrep -i "${COMPAC}$" | wc -l`
    
    if [ "$validityExtension" != "0" ]; then
            if [ "`echo $name | egrep -i '.(rar)$'`" != "" ]; then
                    if [ `/usr/local/bin/unrar l $location | gawk '{ print $1 }' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                            exit 1
                    fi
            else
                    if [ `/usr/bin/7z l -y $location | tail -n +14 | awk '{print $6}' | egrep -i "${EXTENS}$" | wc -l` -gt 0 ]; then
                            exit 1
                    fi
            fi
    fi
    exit 0
    
    4. Execute:
    
    chmod +x /etc/exim_check_compress.sh
    
    5. Add the next variables to exim configuration one by one (WHM / Exim Configuration / Advanced / In the end of SECTION config clic in "Add additional configuration setting".
    
    BINFORBIDDEN = Windows-executable attachments forbidden
    WINBIN = exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
    COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
    acl_smtp_mime = acl_check_mime
    
    6. In (WHM / Exim Configuration / Advanced / Section BEGINACL) define the acl:
    acl_check_mime:
    deny message = BINFORBIDDEN
    log_message = forbidden attachment: filename=$mime_filename, \
    content-type=$mime_content_type, recipients=$recipients
    
    condition = ${if or{\
    {match{$mime_content_type}\
    {(?i)executable|application/x-ace-compressed}}\
    {match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
    }}
    
    
    deny message = Compressed BINFORBIDDEN
    condition = ${if or{\
    {match{$mime_content_type}{(?i)application/\
    (octet-stream|x(-zip)?-compressed|zip)}}\
    {match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
    }}
    
    condition = ${if <{$message_size}{1500K}}
    decode = default
    log_message = forbidden binary in attachment: filename=$mime_filename, \
    recipients=$recipients
    condition = ${run{/bin/sh -c '/etc/exim_check_compress.sh $mime_filename $mime_decoded_filename'}{0}{1}}
    
    accept
    
    Try send attachment with rar 7z or zip file with binary inside to this server and work :)
     
Loading...

Share This Page