Filetype/MailScanner bug

Tue Mar 21 13:33:50 GMT 2006

But you miss my point.  A lot of filetypes that file and magic detects
is based on the same methodology and even though the odds could be
against it, if it happens with the word "free" being in the fourth byte
position, the same could occur with anything in the magic file when a
text file is passed thru it.  

Plus the magic file is based off work and discovery of the internet
community over many years.  If there was a better signature, I'm sure
someone would have added it to the file.  At
http://www.garykessler.net/library/file_sigs.html which is dated
12/20/2005 and the last comment line says "free" is the most common
signature of a quicktime file.

Maybe a better question should whether the txt file that tnef extracts
to msg-*.txt should even be passed thru file to avoid a misdiagnosis.
That reduces the chances while maintaining a greater level of intended
security wanted by the admin.

-=B

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Glenn
Steen
Sent: Tuesday, March 21, 2006 6:24 AM
To: MailScanner discussion
Subject: Re: Filetype/MailScanner bug

On 21/03/06, Rose, Bobby <brose at med.wayne.edu> wrote:
> Since the "Use TNEF Contents" function in the latest version, I've 
> come across a pseudo bug.  It's really not a bug since both file and 
> MailScanner are doing exactly what they're supposed to.
>
> If "Use TNEF Contents" is yes and a plain text message or rtf 
> formatted message is processed, there is a potential for file to 
> misinterpret a text message as an incorrect filetype because of string

> of text being in the correct byte position that magic is expecting for

> a particular filetype.
>
> It was stumbled upon by a one of our researchers who received a "No 
> QuickTime movies allowed (msg-19905-304.txt)" warning from mail
server.
> After investigation it turned out that the word "free" was in the 4th 
> byte position which is also a magic signature for quicktime.  I've 
> been able to dupe by sending a plain-text and an rtf formatted message

> with
> "RE: freezer emergency" as the first line in the message body.
>
> Any ideas for a fix to have MailScanner ignore a misdiagnosis by file 
> without compromising security.  \.txt$ is allowed in my filenames rule

> file so that currently can't be used to offset.
>
> -=Bobby

Best "solution" (aside from not trusting file with this at all) is to
make file better.... I'm sure you can improve on the simplistic "free in
the fourth position" check.
Or just reewmove that line from your magic file.

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 