Encrypted rar

Discussion:

Encrypted rar

Grooz, Marc (regio iT)

2018-11-08 09:07:28 UTC

Hi,

I have a case where a encrypted rar archiv isnât blocked by amavis becouse the filelist is also crypted.

For example:

(!)Decoding of p003 (RAR archive data, v6f,) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 11; 0 files
p.path ***@example.org: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-rar-compressed,T=rar,N=twain_32_verschluesselt.rar", matching_key="(?^:^\\.(zip|rar|arc|arj|zoo|7z)$)"
p003 1/2 Content-Type: application/x-rar-compressed, base64, size: 30206, SHA1 digest: 7a818f8ab8d5b1a97a3594367585b7f983b6db68, name: twain_32_verschluesselt.rar

Blocking rar archives where the filelist isnât encrypted is no problem.

How could amavis block such archives without blocking all rar types?

Regards Marc

i. A. Marc Grooz
Teamleiter Internet & Web/Stellv. Leiter Operation-Center
---------------------------------------------------------------------------------
regio iT
gesellschaft fÃŒr informationstechnologie mbh
LombardenstraÃe 24, 52070 Aachen
tel +49 241 41359-9638
fax +49 241 413540-9638
***@regioit.de<mailto:***@regioit.de>
www.regioit.de<http://www.regioit.de>

Aufsichtsratsvorsitzender: Axel Hartmann
GeschÃ€ftsfÃŒhrung: Dieter Rehfeld (Vors.), Dieter Ludwigs
Sitz der Gesellschaft: Aachen
Niederlassung: GÃŒtersloh
Handelsregister-Nummer: HRB 552, Amtsgericht Aachen

Grooz, Marc (regio iT)

2018-11-08 11:21:36 UTC

Permalink

Hi,

we found that this could be a solution?

diff -U5 /usr/sbin/amavisd-new.bak /usr/sbin/amavisd-new

--- /usr/sbin/amavisd-new.bak 2018-11-08 11:58:36.300181125 +0100
+++ /usr/sbin/amavisd-new 2018-11-08 11:50:58.262021510 +0100

@@ -31605,10 +31605,15 @@

} elsif (proc_status_ok($rv,$err, 3)) { # CRC_ERROR
# NOTE: password protected files in the archive cause CRC_ERROR
do_log(4,"do_unrar: CRC_ERROR - undecipherable, %s",
exit_status_str($rv,$err));
$part->attributes_add('U');
+ } elsif (proc_status_ok($rv,$err, 11)) { # ENCRYPT_ERROR
+ do_log(4,"do_unrar: maybe PROTECTED ARCHIVE - undecipherable, %s",
+ exit_status_str($rv,$err));
+ $part->attributes_add('U');
} elsif (proc_status_ok($rv,$err, 1) && @list && $bytes > 0) {
# WARNING, probably still ok
do_log(4,"do_unrar: warning, %s", exit_status_str($rv,$err));
} elsif (!proc_status_ok($rv,$err)) {
die("can't get a list of archive members: " .

Von: Grooz, Marc (regio iT)
Gesendet: Donnerstag, 8. November 2018 10:07
An: 'amavis-***@amavis.org' <amavis-***@amavis.org>
Betreff: Encrypted rar

Hi,

I have a case where a encrypted rar archiv isn't blocked by amavis becouse the filelist is also crypted.

For example:

(!)Decoding of p003 (RAR archive data, v6f,) failed, leaving it unpacked: do_unrar: can't get a list of archive members: exit 11; 0 files
p.path ***@example.org<mailto:***@example.org>: "P=p004,L=1,M=multipart/mixed | P=p003,L=1/2,M=application/x-rar-compressed,T=rar,N=twain_32_verschluesselt.rar", matching_key="(?^:^\\.(zip|rar|arc|arj|zoo|7z)$)"
p003 1/2 Content-Type: application/x-rar-compressed, base64, size: 30206, SHA1 digest: 7a818f8ab8d5b1a97a3594367585b7f983b6db68, name: twain_32_verschluesselt.rar

Blocking rar archives where the filelist isn't encrypted is no problem.

How could amavis block such archives without blocking all rar types?

Regards Marc

Thomas Jarosch

2018-11-09 10:57:45 UTC

Permalink

Hi Marc,

Post by Grooz, Marc (regio iT)
we found that this could be a solution?
diff -U5 /usr/sbin/amavisd-new.bak /usr/sbin/amavisd-new
--- /usr/sbin/amavisd-new.bak 2018-11-08 11:58:36.300181125 +0100
+++ /usr/sbin/amavisd-new 2018-11-08 11:50:58.262021510 +0100
@@ -31605,10 +31605,15 @@
} elsif (proc_status_ok($rv,$err, 3)) { # CRC_ERROR
# NOTE: password protected files in the archive cause CRC_ERROR
do_log(4,"do_unrar: CRC_ERROR - undecipherable, %s",
exit_status_str($rv,$err));
$part->attributes_add('U');
+ } elsif (proc_status_ok($rv,$err, 11)) { # ENCRYPT_ERROR
+ do_log(4,"do_unrar: maybe PROTECTED ARCHIVE - undecipherable, %s",
+ exit_status_str($rv,$err));
+ $part->attributes_add('U');
# WARNING, probably still ok
do_log(4,"do_unrar: warning, %s", exit_status_str($rv,$err));
} elsif (!proc_status_ok($rv,$err)) {
die("can't get a list of archive members: " .

Intra2net sent some unrar patches upstream here:
https://gitlab.com/amavis/amavis/merge_requests/3

Specifially you need this change to detect encrypted rar archives:
https://gitlab.com/phgsng/amavis/commit/c42b345aeb44353896b41cf7fd495f61d19702c3

Or the whole branch as patch:
https://gitlab.com/amavis/amavis/merge_requests/3.diff

HTH,
Thomas

Grooz, Marc (regio iT)

2018-11-12 08:42:44 UTC

Permalink

Hi Thomas,

thanks, I didn't know that the git Repo is allready online.

You know that the same problem exists with 7z? Does anybody know when this patches will be avalible in an official patch?

Regards Marc

-----Ursprüngliche Nachricht-----
Von: Thomas Jarosch <***@intra2net.com>
Gesendet: Freitag, 9. November 2018 11:58
An: amavis-***@amavis.org
Betreff: Re: Encrypted rar

Hi Marc,

Thomas Jarosch

2018-11-12 08:58:59 UTC

Permalink

Hi Marc,

Post by Grooz, Marc (regio iT)
thanks, I didn't know that the git Repo is allready online.
You know that the same problem exists with 7z? Does anybody know when this
patches will be avalible in an official patch?

now that you mention it, we also have local patches for 7z.

I've sent two patches for this earlier to the mainlinglist in 2016.
Subject line was

"[2.11.0rc1 PATCH] do_7zip: Handle completely encrypted archives"

and

"[2.11.0 PATCH] do_7zip: Treat .zip archives with broken headers as UNDECIPHERABLE"

I'm unsure if they ever made it into the release. Theoretically
they should have been in 2.11.1, but I wouldn't count on it.

Once the new development process is getting steam, I'll make sure
to upstream our local improvements :)

Cheers,
Thomas