CIRCL / Circlean

USB key cleaner

https://www.circl.lu/projects/CIRCLean/

BSD 3-Clause "New" or "Revised" License

447 stars 70 forks source link

file extension checks needed for polyglot files #9

Closed thejh closed 9 years ago

thejh commented 9 years ago

Circlean bypass for zipfiles:

dd if=img.png bs=8 count=1 of=stealth.zip
cat a.zip>>stealth.zip

Works for PDF, too:

dd if=img.png bs=8 count=1 of=stealth.pdf
echo>>stealth.pdf
cat<out.pdf>>stealth.pdf

You might want to start whitelisting file extensions and checking that file extension and detected MIME type match.

Rafiot commented 9 years ago

Good point, thank for the hint.

I will look for a somehow generic way to match the mimetypes with the extensions. We will have a problem with some specific types that have many different extensions for the same mime type.

Rafiot commented 9 years ago

I will implement the fix with the information provided here: https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types

adulau commented 9 years ago

The new version of the code PyCIRCLean (standalone Python code) fixed this security bug:

https://github.com/CIRCL/PyCIRCLean/commit/ac372dc59dd76f2be6200573813041f39ba2a30a

So this code will limit the issue of the polygot files. Tests and feedback more than welcome.

Rafiot commented 9 years ago

This bug is now completely fixed by this commit: https://github.com/CIRCL/PyCIRCLean/commit/420e87cbba87f4a6eaa0d6abdff9ff731859461a

Rafiot commented 9 years ago

and this one that removed the buggy code: https://github.com/CIRCL/Circlean/commit/def6c2610934cd2fdefb6c46a4039d5f149eb648

Rafiot commented 9 years ago

CIRCL / Circlean

file extension checks needed for polyglot files #9

24