search

CIRCL / Circlean

USB key cleaner
https://www.circl.lu/projects/CIRCLean/
BSD 3-Clause "New" or "Revised" License
451 stars 70 forks source link

Right-to-Left Override (RLO) character in filename #52

Open npapandreou opened 7 years ago

npapandreou commented 7 years ago

After reading the Why/What section of CIRClean, I didn't find out any information for protection against Right-to-Left Override character.

Is it removed as it is supposed, or not?

Rafiot commented 7 years ago

As far as I can tell, the extension will be properly discovered under linux/with python : 

$  ipython3
Python 3.5.2+ (default, Sep 22 2016, 12:18:14) 
Type "copyright", "credits" or "license" for more information.

IPython 2.4.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import os, glob

In [2]: for b in glob.glob('./*'):
              print(os.path.splitext(b))
('./test\u202eexe', '.doc')

So if you have a executable you try to hide as a .doc (and you manage to bypass the mimetype check), the script will try to process the file as an office document, fail, and add DANGEROUS at the beginning and at the end.

And I just realized that if you plug the key on a windows box, the LRO character kicks in and you will very probably get your exe file back (I need to try under windows, but it would make sense)

Very good point, we need to sanitize all the files containing \u202 in their names.