Filetype/MailScanner bug

[Glenn Steen]

On 21/03/06, Rose, Bobby <brose at med.wayne.edu> wrote:
> But you miss my point.  A lot of filetypes that file and magic detects
> is based on the same methodology and even though the odds could be
> against it, if it happens with the word "free" being in the fourth byte
> position, the same could occur with anything in the magic file when a
> text file is passed thru it.

I wouldn't call my standpoint missing the point exactly:-)
This is exactly why you should take a long hard think-session on
whether to use file/filtype checking at all.


> Plus the magic file is based off work and discovery of the internet
> community over many years.  If there was a better signature, I'm sure
> someone would have added it to the file.  At
> http://www.garykessler.net/library/file_sigs.html which is dated
> 12/20/2005 and the last comment line says "free" is the most common
> signature of a quicktime file.

Ah, yes... but the file command has a rather significant difference
when used as usually done, contra what it's like in MS... Namely a
human to interprete the results.... MS is a bit more ... litteral.

> Maybe a better question should whether the txt file that tnef extracts
> to msg-*.txt should even be passed thru file to avoid a misdiagnosis.
> That reduces the chances while maintaining a greater level of intended
> security wanted by the admin.
>
Perhaps, but if one wants filetype checks on all attachments, why
should these not be subject to the checks? One could easily envision
some crafty type exploiting such a "hole":-)...

>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Glenn
> Steen
> Sent: Tuesday, March 21, 2006 6:24 AM
> To: MailScanner discussion
> Subject: Re: Filetype/MailScanner bug
>
> On 21/03/06, Rose, Bobby <brose at med.wayne.edu> wrote:
> > Since the "Use TNEF Contents" function in the latest version, I've
> > come across a pseudo bug.  It's really not a bug since both file and
> > MailScanner are doing exactly what they're supposed to.
> >
> > If "Use TNEF Contents" is yes and a plain text message or rtf
> > formatted message is processed, there is a potential for file to
> > misinterpret a text message as an incorrect filetype because of string
>
> > of text being in the correct byte position that magic is expecting for
>
> > a particular filetype.
> >
> > It was stumbled upon by a one of our researchers who received a "No
> > QuickTime movies allowed (msg-19905-304.txt)" warning from mail
> server.
> > After investigation it turned out that the word "free" was in the 4th
> > byte position which is also a magic signature for quicktime.  I've
> > been able to dupe by sending a plain-text and an rtf formatted message
>
> > with
> > "RE: freezer emergency" as the first line in the message body.
> >
> > Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
> > without compromising security.  \.txt$ is allowed in my filenames rule
>
> > file so that currently can't be used to offset.
> >
> > -=Bobby
>
> Best "solution" (aside from not trusting file with this at all) is to
> make file better.... I'm sure you can improve on the simplistic "free in
> the fourth position" check.
> Or just reewmove that line from your magic file.
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se