other/Puppet: common/spamassassin-vba-macro-master/ole2macro.pm annotate

author	IBBoard <dev@ibboard.co.uk>
date	Thu, 09 Feb 2017 20:54:30 +0000
parents
children	808462de684a

rev	line source
142 dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 # <@LICENSE>
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	2 # Licensed to the Apache Software Foundation (ASF) under one or more
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	3 # contributor license agreements. See the NOTICE file distributed with
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	4 # this work for additional information regarding copyright ownership.
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	5 # The ASF licenses this file to you under the Apache License, Version 2.0
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	6 # (the "License"); you may not use this file except in compliance with
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	7 # the License. You may obtain a copy of the License at:
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	8 #
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	9 # http://www.apache.org/licenses/LICENSE-2.0
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	10 #
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	11 # Unless required by applicable law or agreed to in writing, software
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 # distributed under the License is distributed on an "AS IS" BASIS,
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	14 # See the License for the specific language governing permissions and
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 # limitations under the License.
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	16 # </@LICENSE>
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	17
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 =head1 NAME
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	19
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	20 OLE2Macro - Look for Macro Embedded Microsoft Word and Excel Documents
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	21
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	22 =head1 SYNOPSIS
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	23
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	24 loadplugin ole2macro.pm
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	25 body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	26 score MICROSOFT_OLE2MACRO 4
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	27
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	28 =head1 DESCRIPTION
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	29
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	30 Detects embedded OLE2 Macros embedded in Word and Excel Documents. Based on:
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	31 https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	32
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	33 10/12/2015 - Jonathan Thorpe - jthorpe@conexim.com.au
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	34
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	35 =back
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	36
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	37 =cut
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	38
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 package OLE2Macro;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	40
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	41 use Mail::SpamAssassin::Plugin;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	42 use Mail::SpamAssassin::Logger;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	43 use Mail::SpamAssassin::Util;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	44 use IO::Uncompress::Unzip;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	45 use IO::Scalar;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	46
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	47 use strict;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	48 use warnings;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	49 use bytes;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	50 use re 'taint';
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	51
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	52 use vars qw(@ISA);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	53 @ISA = qw(Mail::SpamAssassin::Plugin);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	54
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	55 #File types and markers
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	56 my $match_types = qr/(?:xls\|xlt\|pot\|ppt\|pps\|doc\|dot)$/;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	57
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	58 #Microsoft OOXML-based formats with Macros
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	59 my $match_types_xml = qr/(?:xlsm\|xltm\|xlsb\|potm\|pptm\|ppsm\|docm\|dotm)$/;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	60
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	61 #Markers in the order in which they should be found.
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	62 my @markers = ("\xd0\xcf\x11\xe0", "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00");
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	63
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	64 # limiting the number of files within archive to process
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	65 my $archived_files_process_limit = 3;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	66 # limiting the amount of bytes read from a file
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	67 my $file_max_read_size = 102400;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	68 # limiting the amount of bytes read from an archive
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	69 my $archive_max_read_size = 1024000;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	70
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	71 # limiting the amount of bytes read from a file to determine MIME type
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	72 my $mime_max_read_size = 8;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	73
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	74
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	75 my $has_mimeinfo = 0;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	76 eval('use File::MimeInfo::Magic');
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	77 if(!$@){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	78 $has_mimeinfo = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	79 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	80
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	81 # constructor: register the eval rule
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	82 sub new {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	83 my $class = shift;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	84 my $mailsaobject = shift;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	85
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	86 # some boilerplate...
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	87 $class = ref($class) \|\| $class;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	88 my $self = $class->SUPER::new($mailsaobject);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	89 bless ($self, $class);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	90
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	91 $self->register_eval_rule("check_microsoft_ole2macro");
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	92
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	93 return $self;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	94 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	95
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	96 sub check_microsoft_ole2macro {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	97 my ($self, $pms) = @_;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	98
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	99 _check_attachments(@_) unless exists $pms->{nomacro_microsoft_ole2macro};
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	100 return $pms->{nomacro_microsoft_ole2macro};
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	101 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	102
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	103 sub _match_markers {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	104 my ($data) = @_;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	105
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	106 my $matched=0;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	107 foreach(@markers){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	108 if(index($data, $_) > -1){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	109 $matched++;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	110 } else {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	111 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	112 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	113 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	114
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	115 return $matched == @markers;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	116 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	117
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	118 sub _is_zip {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	119 my ($name, $part) = @_;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	120
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	121 if ($has_mimeinfo){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	122 my $contents_scalar = new IO::Scalar \$part->decode($mime_max_read_size);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	123 my $mime_type = File::MimeInfo::Magic::magic($contents_scalar);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	124 return($mime_type eq "application/zip");
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	125 }else{
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	126 return($name =~ /(?:zip)$/);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	127 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	128 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	129
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	130 sub _check_attachments {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	131 my ($self, $pms) = @_;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	132
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	133 my $processed_files_counter = 0;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	134 $pms->{nomacro_microsoft_ole2macro} = 0;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	135
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	136 foreach my $p ($pms->{msg}->find_parts(qr/./, 1)) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	137 my ($ctype, $boundary, $charset, $name) =
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	138 Mail::SpamAssassin::Util::parse_content_type($p->get_header('content-type'));
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	139
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	140
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	141 $name = lc($name \|\| '');
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	142 if ($name =~ $match_types) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	143 my $contents = $p->decode($file_max_read_size);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	144 if(_match_markers($contents)){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	145 $pms->{nomacro_microsoft_ole2macro} = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	146 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	147 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	148 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	149
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	150 if (_is_zip($name, $p)) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	151 my $contents = $p->decode($archive_max_read_size);
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	152 my $z = new IO::Uncompress::Unzip \$contents;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	153
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	154 my $status;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	155 my $buff;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	156 my $zip_fn;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	157
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	158 if (defined $z) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 for ($status = 1; $status > 0; $status = $z->nextStream()) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	160 $zip_fn = lc $z->getHeaderInfo()->{Name};
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	161
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	162 #Parse these first as they don't need handling of the contents.
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	163 if ($zip_fn =~ $match_types_xml) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	164 $pms->{nomacro_microsoft_ole2macro} = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	165 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	166 } elsif ($zip_fn =~ $match_types or $zip_fn eq "[content_types].xml") {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	167 $processed_files_counter += 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	168 if ($processed_files_counter > $archived_files_process_limit) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	169 dbg( "Stopping processing archive on file ".$z->getHeaderInfo()->{Name}.": processed files count limit reached\n" );
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	170 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	171 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	172 my $attachment_data = "";
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	173 my $read_size = 0;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	174 while (($status = $z->read( $buff )) > 0) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	175 $attachment_data .= $buff;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	176 $read_size += length( $buff );
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	177 if ($read_size > $file_max_read_size) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	178 dbg( "Stopping processing file ".$z->getHeaderInfo()->{Name}." in archive: processed file size overlimit\n" );
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	179 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	180 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	181 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	182
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	183 #OOXML format
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	184 if($zip_fn eq "[content_types].xml"){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	185 if($attachment_data =~ /ContentType=["']application\/vnd.ms-office.vbaProject["']/i){
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	186 $pms->{nomacro_microsoft_ole2macro} = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	187 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	188 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	189 }else{
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	190 if (_match_markers( $attachment_data )) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	191 $pms->{nomacro_microsoft_ole2macro} = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	192 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	193 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	194 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	195 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	196 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	197 }else{
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	198 dbg( "Unable to open ZIP file\n" );
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	199 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	200 } elsif ($name =~ $match_types_xml) {
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	201 $pms->{nomacro_microsoft_ole2macro} = 1;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	202 last;
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	203 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	204 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	205 }
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	206
dae1088dd218 Add OLE detection to SpamAssassin without ClamAV IBBoard <dev@ibboard.co.uk> parents: diff changeset	207 1;

142

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

1 # <@LICENSE>

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

2 # Licensed to the Apache Software Foundation (ASF) under one or more

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

3 # contributor license agreements. See the NOTICE file distributed with

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

4 # this work for additional information regarding copyright ownership.

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

5 # The ASF licenses this file to you under the Apache License, Version 2.0

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

6 # (the "License"); you may not use this file except in compliance with

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

7 # the License. You may obtain a copy of the License at:

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

8 #

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

9 # http://www.apache.org/licenses/LICENSE-2.0

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

10 #

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

11 # Unless required by applicable law or agreed to in writing, software

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

12 # distributed under the License is distributed on an "AS IS" BASIS,

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

14 # See the License for the specific language governing permissions and

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

15 # limitations under the License.

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

16 # </@LICENSE>

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

17

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

18 =head1 NAME

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

19

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

20 OLE2Macro - Look for Macro Embedded Microsoft Word and Excel Documents

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

21

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

22 =head1 SYNOPSIS

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

23

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

24 loadplugin ole2macro.pm

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

25 body MICROSOFT_OLE2MACRO eval:check_microsoft_ole2macro()

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

26 score MICROSOFT_OLE2MACRO 4

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

27

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

28 =head1 DESCRIPTION

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

29

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

30 Detects embedded OLE2 Macros embedded in Word and Excel Documents. Based on:

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

31 https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

32

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

33 10/12/2015 - Jonathan Thorpe - jthorpe@conexim.com.au

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

34

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

35 =back

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

36

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

37 =cut

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

38

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

39 package OLE2Macro;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

40

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

41 use Mail::SpamAssassin::Plugin;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

42 use Mail::SpamAssassin::Logger;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

43 use Mail::SpamAssassin::Util;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

44 use IO::Uncompress::Unzip;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

45 use IO::Scalar;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

46

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

47 use strict;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

48 use warnings;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

49 use bytes;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

50 use re 'taint';

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

51

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

52 use vars qw(@ISA);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

53 @ISA = qw(Mail::SpamAssassin::Plugin);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

54

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

55 #File types and markers

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

56 my $match_types = qr/(?:xls|xlt|pot|ppt|pps|doc|dot)$/;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

57

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

58 #Microsoft OOXML-based formats with Macros

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

60

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

61 #Markers in the order in which they should be found.

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

62 my @markers = ("\xd0\xcf\x11\xe0", "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00");

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

63

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

64 # limiting the number of files within archive to process

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

65 my $archived_files_process_limit = 3;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

66 # limiting the amount of bytes read from a file

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

67 my $file_max_read_size = 102400;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

68 # limiting the amount of bytes read from an archive

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

69 my $archive_max_read_size = 1024000;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

70

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

71 # limiting the amount of bytes read from a file to determine MIME type

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

72 my $mime_max_read_size = 8;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

73

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

74

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

75 my $has_mimeinfo = 0;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

76 eval('use File::MimeInfo::Magic');

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

77 if(!$@){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

78 $has_mimeinfo = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

79 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

80

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

81 # constructor: register the eval rule

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

82 sub new {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

83 my $class = shift;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

84 my $mailsaobject = shift;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

85

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

86 # some boilerplate...

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

87 $class = ref($class) || $class;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

88 my $self = $class->SUPER::new($mailsaobject);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

89 bless ($self, $class);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

90

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

91 $self->register_eval_rule("check_microsoft_ole2macro");

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

92

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

93 return $self;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

94 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

95

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

96 sub check_microsoft_ole2macro {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

97 my ($self, $pms) = @_;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

98

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

99 _check_attachments(@_) unless exists $pms->{nomacro_microsoft_ole2macro};

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

100 return $pms->{nomacro_microsoft_ole2macro};

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

101 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

102

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

103 sub _match_markers {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

104 my ($data) = @_;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

105

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

106 my $matched=0;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

107 foreach(@markers){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

108 if(index($data, $_) > -1){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

109 $matched++;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

110 } else {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

111 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

112 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

113 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

114

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

115 return $matched == @markers;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

116 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

117

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

118 sub _is_zip {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

119 my ($name, $part) = @_;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

120

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

121 if ($has_mimeinfo){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

122 my $contents_scalar = new IO::Scalar \$part->decode($mime_max_read_size);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

123 my $mime_type = File::MimeInfo::Magic::magic($contents_scalar);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

124 return($mime_type eq "application/zip");

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

125 }else{

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

126 return($name =~ /(?:zip)$/);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

127 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

128 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

129

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

130 sub _check_attachments {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

131 my ($self, $pms) = @_;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

132

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

133 my $processed_files_counter = 0;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

134 $pms->{nomacro_microsoft_ole2macro} = 0;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

135

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

136 foreach my $p ($pms->{msg}->find_parts(qr/./, 1)) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

137 my ($ctype, $boundary, $charset, $name) =

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

138 Mail::SpamAssassin::Util::parse_content_type($p->get_header('content-type'));

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

139

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

140

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

141 $name = lc($name || '');

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

142 if ($name =~ $match_types) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

143 my $contents = $p->decode($file_max_read_size);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

144 if(_match_markers($contents)){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

145 $pms->{nomacro_microsoft_ole2macro} = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

146 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

147 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

148 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

149

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

150 if (_is_zip($name, $p)) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

151 my $contents = $p->decode($archive_max_read_size);

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

152 my $z = new IO::Uncompress::Unzip \$contents;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

153

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

154 my $status;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

155 my $buff;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

156 my $zip_fn;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

157

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

158 if (defined $z) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

159 for ($status = 1; $status > 0; $status = $z->nextStream()) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

160 $zip_fn = lc $z->getHeaderInfo()->{Name};

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

161

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

162 #Parse these first as they don't need handling of the contents.

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

163 if ($zip_fn =~ $match_types_xml) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

164 $pms->{nomacro_microsoft_ole2macro} = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

165 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

166 } elsif ($zip_fn =~ $match_types or $zip_fn eq "[content_types].xml") {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

167 $processed_files_counter += 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

168 if ($processed_files_counter > $archived_files_process_limit) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

169 dbg( "Stopping processing archive on file ".$z->getHeaderInfo()->{Name}.": processed files count limit reached\n" );

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

170 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

171 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

172 my $attachment_data = "";

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

173 my $read_size = 0;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

174 while (($status = $z->read( $buff )) > 0) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

175 $attachment_data .= $buff;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

176 $read_size += length( $buff );

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

177 if ($read_size > $file_max_read_size) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

178 dbg( "Stopping processing file ".$z->getHeaderInfo()->{Name}." in archive: processed file size overlimit\n" );

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

179 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

180 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

181 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

182

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

183 #OOXML format

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

184 if($zip_fn eq "[content_types].xml"){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

185 if($attachment_data =~ /ContentType=["']application\/vnd.ms-office.vbaProject["']/i){

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

186 $pms->{nomacro_microsoft_ole2macro} = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

187 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

188 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

189 }else{

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

190 if (_match_markers( $attachment_data )) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

191 $pms->{nomacro_microsoft_ole2macro} = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

192 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

193 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

194 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

195 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

196 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

197 }else{

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

198 dbg( "Unable to open ZIP file\n" );

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

199 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

200 } elsif ($name =~ $match_types_xml) {

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

201 $pms->{nomacro_microsoft_ole2macro} = 1;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

202 last;

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

203 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

204 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

205 }

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

206

dae1088dd218 Add OLE detection to SpamAssassin without ClamAV

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

207 1;

Mercurial > repos > other > Puppet

annotate common/spamassassin-vba-macro-master/ole2macro.pm @ 142:dae1088dd218 puppet-3.6