malware went through because RAR file fails to unpack

Engels, Jan jan.engels at desy.de
Wed Mar 25 13:39:19 CET 2020 

Hi again,

sorry for spamming :(

Since my problem is related to unpacking the RAR archive and I could not yet get the
"unar" tool to work with amavis I am in the meantime searching for other alternatives...

I've tried to update the unrar rpm (from 4.2 to 5.4) on our test system. This seemed
to work at first, since the RAR archive containing the malware was now properly unpacked
by amavis and the malware got recognized.

Unfortunately, now I see other problems with other (probably older?) RAR archives?

amavis[4060]: (04060-01) File-type of p002: RAR archive data, v1d, os: Unix; (rar) 
amavis[4060]: (04060-01) decompose_part: p001 - atomic 
amavis[4060]: (04060-01) Expanding RAR archive p002 
amavis[4060]: (04060-01) (!)do_unrar: can't parse info line for ""  -rwxr-xr-x        40        47 117%  2016-12-20 10:33  15EF6689  hello-word.py
amavis[4060]: (04060-01) Charging 47 bytes to remaining quota 521858 (out of 522000, (0%)) - by do_unrar-pre 
amavis[4060]: (04060-01) do_unrar: no archive members, or not an archive at all 
amavis[4060]: (04060-01) lookup [keep_decoded_original] => undef, "RAR archive data, v1d, os: Unix" does not match 
amavis[4060]: (04060-01) decompose_part: p002 - archive, unpacked


I found some threads which seem to include the same or at least similar problems:

https://groups.google.com/forum/#!topic/mailing.unix.amavis-user/aDZYqrdXLlI
https://de.postfix.org/pipermail/postfix-users/2014-June/004219.html (in german :P)

I've tested now using amavisd-new-2.11.1-1.el7.noarch and unrar-5.4.0-1.el7.x86_64.

Does anyone have any experience/recommendations regarding amavisd-new and RAR archives
under RH/CentOS?

I found this thread on including unar support in amavis:

https://bugzilla.redhat.com/show_bug.cgi?id=1517572

unfortunately the last 3 comments does not seem to be very promissing? :(


Cheers
Jan


----- Original Message -----
| From: "Jan Engels" <jan.engels at desy.de>
| To: "Patrick Ben Koetter" <p at sys4.de>
| Cc: amavis-users at amavis.org
| Sent: Tuesday, March 24, 2020 1:42:23 PM
| Subject: Re: malware went through because RAR file fails to unpack

| Hi Patrick,
| 
| unfortunately it didn't work. The unrar on my CentOS7 system does not seem to be
| able to handle the newer RAR versions, i.e. extract the file containing the
| malware:
| 
| $ unrar x SWIFT\ MT103\ Copy.rar
| 
| UNRAR 4.20 freeware      Copyright (c) 1993-2012 Alexander Roshal
| 
| Unsupported archive format. Please update RAR to a newer version.
| SWIFT MT103 Copy.rar is not RAR archive
| No files to extract
| 
| 
| 
| I could however find another Package which seems to be better for unpacking rar
| files
| and is available on CentOS7:
| 
| unar-1.10.1-1.el7.x86_64
| 
| Using this tool I could extract the RAR without problems:
| 
| $ unar SWIFT\ MT103\ Copy.rar
| SWIFT MT103 Copy.rar: RAR 5
|  SWIFT MT103 Copy.exe  (81920 B)... OK.
| Successfully extracted to "./SWIFT MT103 Copy.exe".
| 
| 
| Is it possible to include unar in the amavis.conf?
| 
| I could not get it to work by adjusting the corresponding section:
| 
|| @decoders = (
||  ['mail', \&do_mime_decode],
| ...
||  ['rar',  \&do_unrar, ['unar'] ],
| 
| This led to the following error:
| 
| amavis[9351]: (09351-01) (!)Decoding of p002 (RAR archive data, v2d, flags:
| Commented, Solid, os: OS/2) failed, leaving it unpacked: do_unrar: can't get a
| list of archive members: exit 1; Unknown option -idcdp.
| 
| 
| Does anyone know if or how this can be done? I could find the -idcdp options in
| the amavisd script:
| 
|  my(@common_rar_switches) = qw(-c- -p- -idcdp);  # -av-
| 
| can this variable somehow be switched off/overwritten in the amavis.conf file?
| 
| Cheers
| Jan
| 
| ----- Original Message -----
|| From: "Jan Engels" <jan.engels at desy.de>
|| To: "Patrick Ben Koetter" <p at sys4.de>
|| Cc: amavis-users at amavis.org
|| Sent: Monday, March 23, 2020 9:24:35 PM
|| Subject: Re: malware went through because RAR file fails to unpack
| 
|| Hi everyone,
|| 
|| thanks a lot for the quick reply. For now I'm just blocking rar archives from
|| external. My @decoders section currently looks as follows:
|| 
|| @decoders = (
||  ['mail', \&do_mime_decode],
|| # [[qw(asc uue hqx ync)], \&do_ascii],  # not safe
||  ['F',    \&do_uncompress, ['unfreeze', 'freeze -d', 'melt', 'fcat'] ],
||  ['Z',    \&do_uncompress, ['uncompress', 'gzip -d', 'zcat'] ],
||  ['gz',   \&do_uncompress, 'gzip -d'],
||  ['gz',   \&do_gunzip],
||  ['bz2',  \&do_uncompress, 'bzip2 -d'],
||  ['xz',   \&do_uncompress,
||           ['xzdec', 'xz -dc', 'unxz -c', 'xzcat'] ],
||  ['lzma', \&do_uncompress,
||           ['lzmadec', 'xz -dc --format=lzma',
||            'lzma -dc', 'unlzma -c', 'lzcat', 'lzmadec'] ],
||  ['lrz',  \&do_uncompress,
||           ['lrzip -q -k -d -o -', 'lrzcat -q -k'] ],
||  ['lzo',  \&do_uncompress, 'lzop -d'],
||  ['lz4',  \&do_uncompress, ['lz4c -d'] ],
||  ['rpm',  \&do_uncompress, ['rpm2cpio.pl', 'rpm2cpio'] ],
||  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
||           # ['/usr/local/heirloom/usr/5bin/pax', 'pax', 'gcpio', 'cpio']
||  ['deb',  \&do_ar, 'ar'],
|| # ['a',    \&do_ar, 'ar'],  # unpacking .a seems an overkill
||  ['rar',  \&do_unrar, ['unrar', 'rar'] ],
||  ['arj',  \&do_unarj, ['unarj', 'arj'] ],
||  ['arc',  \&do_arc,   ['nomarch', 'arc'] ],
||  ['zoo',  \&do_zoo,   ['zoo', 'unzoo'] ],
|| # ['doc',  \&do_ole,   'ripole'],  # no ripole package so far
||  ['cab',  \&do_cabextract, 'cabextract'],
|| # ['tnef', \&do_tnef_ext, 'tnef'],  # use internal do_tnef() instead
||  ['tnef', \&do_tnef],
|| # ['lha',  \&do_lha,   'lha'],  # not safe, use 7z instead
|| # ['sit',  \&do_unstuff, 'unstuff'],  # not safe
||  [['zip','kmz'], \&do_7zip,  ['7za', '7z'] ],
||  [['zip','kmz'], \&do_unzip],
||  ['7z',   \&do_7zip,  ['7zr', '7za', '7z'] ],
||  [[qw(gz bz2 Z tar)],
||           \&do_7zip,  ['7za', '7z'] ],
||  [[qw(xz lzma jar cpio arj rar swf lha iso cab deb rpm)],
||           \&do_7zip,  '7z' ],
||  ['exe',  \&do_executable, ['unrar','rar'], 'lha', ['unarj','arj'] ],
|| );
|| 
|| For me it seems that unrar is preferred over rar. Maybe it's the CentOS 7
|| version of unrar which causes problems? I currently have the following
|| installed:
|| 
|| unrar-4.2.4-1.el7.x86_64
|| 
|| I will anyway try to remove the 'rar' from the list as proposed by p at rick:
||  ['rar',  \&do_unrar, ['unrar'] ],
|| 
|| and just leave 'unrar' to check if it helps...
|| 
|| @p at trick: I currently also do not have:
|| 
|| \&Amavis::Unpackers::do_unrar
|| 
|| anywhere in my list. Is that for using some amavis perl 'unrar' library?
|| 
|| My current amavis version is:
|| 
|| amavisd-new-2.11.1-1.el7.noarch
|| 
|| Thanks a lot for your help!
|| 
|| Cheers
|| Jan
|| 
|| 
|| ----- Original Message -----
||| From: "Patrick Ben Koetter" <p at sys4.de>
||| To: amavis-users at amavis.org
||| Sent: Monday, March 23, 2020 8:42:53 PM
||| Subject: Re: malware went through because RAR file fails to unpack
|| 
||| * Benny Pedersen <me at junc.eu>:
|||> On 2020-03-23 18:01, Engels, Jan wrote:
|||> 
|||> > i.e. malware went through amavis because the RAR archive containing
|||> > the malware could not be unpacked:
|||> 
|||> is clamav detect this virus ?
||| 
||| Recent clamav version detect RARv5 archives and unpack them properly.
||| 
||| 
|||> 
|||> is amavisd unpacking it, or just not detect it ?
|||> 
|||> sorry not using amavisd here, but fuglu could have same problem
||| 
||| --
||| [*] sys4 AG
||| 
||| https://sys4.de, +49 (89) 30 90 46 64
||| Schleißheimer Straße 26/MG,80333 München
||| 
||| Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
||| Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
| | | Aufsichtsratsvorsitzender: Florian Kirstein

More information about the amavis-users mailing list