A note regarding filename-based regexps.

From: Bjarni R. Einarsson (
Date: Wed 03 Apr 2002 - 11:47:16 UTC

  • Next message: Bjarni R. Einarsson: "Re: missing argument to self->Truncate ?"

    The following message from Bugtraq, although discussing ZoneAlarm
    MailSafe also applies to the regular expressions used in Sanitizer
    configuration files. Basically, it's very easy to bypass
    filename-based filtering rules in many mail filtering products by
    simply appending a dot to all attachment names - the dot will be
    ignored by Windows.

    This particular exploit is so simple I rather expect virus/worm
    writers will put it to use relatively quickly.

    The solution is to simply add \.? to the end of all extension-matching
    regular expressions, before the $. Example:

      file_list_1 = (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))
      file_list_1 += |(ants3set|wtc|readme|sslpatch)\.exe)$

      file_list_1 = (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))
      file_list_1 += |(ants3set|wtc|readme|sslpatch)\.exe)\.?$

    ----- Forwarded message from Edvice Security Services <> -----

    From: "Edvice Security Services" <>
    To: <>
    Subject: [bugtraq] Various Vulnerabilities in ZoneAlarm MailSafe
    Date: Tue, 2 Apr 2002 10:33:13 +0200
    X-Mailer: Microsoft Outlook, Build 10.0.2627

    Tuesday April 2, 2002

    Various Vulnerabilities in ZoneAlarm MailSafe
    Edvice recently tested ZoneLabs ZoneAlarm Pro ability to detect and
    quarantine incoming e-mail attachments that may contain malicious code
    or viruses. This functionality is provided by ZoneAlarm's MailSafe
    The Findings
    We encountered several vulnerabilities in ZoneAlarm 3.0 MailSafe. The
    vulnerabilities allow bypassing ZoneAlarm's e-mail protection.
    Most of the vulnerabilities we encountered are known Email Filters
    attack techniques and there is no point in explaining them again.
    However, there is one issue worth mentioning:
    It is possible to bypass ZoneAlarm Email Protection by appending a dot
    to the file name extension (e.g. malicious.exe becomes malicious.exe.).
    The dot changes the file name extension and MailSafe fails to compare it
    with known dangerous extensions. The MS-Windows operating system on the
    other hand disregards a dot at the end of a file name. When Windows is
    given a file name ending with a dot, it will automatically remove the
    dot from the file name extension. When Outlook or Outlook Express
    receives a file name that ends with a dot, it will present the dot, but
    will launch the appropriate application when the file is double-clicked,
    as if the dot does not exist.
    Vendor Status
    ZoneLabs was first contacted on January 26, 2002.
    A fix (v3.0.118) for most of the vulnerabilities we encountered,
    including the one mentioned above, is available through ZoneAlarm's
    Check for Update feature as from yesterday. ZoneLabs is still working on
    one of the vulnerabilities and a fix is expected soon.

    HTML Version:

    ----- End forwarded message -----

    Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

    Check out my open-source email sanitizer: Spammers, please send plenty of email to:

    hosted by