What about zip files?
Closed this issue · 10 comments
I installed the milter yesterday on my ubuntu server. It seems to work but only on files that are not inside a zip file. Is there a reason why you left this out?
Most of the "locky" like emails contain their crappy files inside zip container.
I tested it with different macro types and files - also .zip:
Mar 22 22:21:22 sendemail[14344]: Setting content-type: text/plain
Mar 22 22:21:22 sendemail[14344]: DEBUG => Sending the attachment [**ebill0200442.zip**]
Mar 22 22:21:39 incela sendemail[14344]: ERROR => Received: 550 5.7.1 **ERROR = Attachment contains unallowed office macros!**
The oletools api can handle only un-encrypted zip files in this implementation.
Please check the "run.log" file for errors or stop the service and start the macromilter.py manual (python /etc/macomilter/macromilter.py) and provide me the log or std-out output.
Please check also the oletools version --> https://bitbucket.org/decalage/oletools/wiki/olevba
My tested version is 0.42.
Thanks for your help!!
I am using oletools 0.44.
I tested it with the attached doc file (came in as spam email). The doc is detected.
24.03.16 23:13:56 [4273] - Find Attachment with extension - File content type: application/msword - File name: rechnung_-postmaster 789.doc
24.03.16 23:13:56 [4273] - Attachment b949b42c7dab6883551f38de52428a08 already parsed ! REJECT
I zipped the doc and tried again and the zip file is perfectly ignored by the milter with these log entries:
24.03.16 23:09:28 [4269] - Find Attachment with extension - File content type: application/zip - File name: rechnung_-postmaster 789.doc.zip
24.03.16 23:09:28 [4269] - VBA no Macros found in file
24.03.16 23:09:28 [4269] - VBA parsing exit
rechnung_-postmaster 789.doc.zip
- due to upload restrictions, i had to add the png extension to the doc file.
I checked the documentation of the olevba and i am not quite sure if olevba can handle ordinary zip files. The documentation is mentioning zip file support always together with zip-containers for office files (docx, etc).
Just checked the source of olevba.py and found this text
def detect_vba_macros(self):
"""
Detect the potential presence of VBA macros in the file, by checking
if it contains VBA projects. Both OLE and OpenXML files are supportedSo maybe the way to handle document files inside a zip will be to check if the attachment is a zip file and if so, iterate through all files inside the zip and push each to the vba parser.
Yes you are right. The zip is not detected. I'll check this and maybe provide a fix or talk to Philippe.
Ok, now I know why the zip file is not recognized by the milter!
An OLE Office file (legacy 97-2003 formats) in a zip is technically like a docm or xlsm (with vbaProject.bin inside). But if it's a zip with a docm or xml or mht inside, it won't work. It's better to unzip each file in memory, then scan them.
Now, I add in the next days a build-in in-memory unzip function to handle these files correctly.
Thank you for the report and tests!
Great! Really looking for this.
Things may to consider might be a file size limit to secure system performance and zips inside zipfiles.
Am 29.03.2016 um 15:46 schrieb Stephan Traub notifications@github.com:
Ok, now I know why the zip file is not recognized by the milter!
An OLE Office file (legacy 97-2003 formats) in a zip is technically like a docm or xlsm (with vbaProject.bin inside). But if it's a zip with a docm or xml or mht inside, it won't work. It's better to unzip each file in memory, then scan them.Now, I add in the next days a build-in in-memory unzip function to handle these files correctly.
Thank you for the report and tests!
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
I added a "normal" zip extraction function to the milter.
The recursive and "rar" support is outstanding and I hope to add this in the next days.
I leave this issue open.
Thank you very much. I will give it a try tomorrow!
Von meinem iPhone gesendet
Am 29.03.2016 um 20:19 schrieb Stephan Traub notifications@github.com:
I added a "normal" zip extraction function to the milter.
The recursive and "rar" support is outstanding and I hope to add this in the next days.I leave this issue open.
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
Is working!! Thank you
Rar and recursive support is coming soon 😃 (in V3).