Filetype/MailScanner bug

Glenn Steen glenn.steen at
Tue Mar 21 16:49:16 GMT 2006

On 21/03/06, Rose, Bobby <brose at> wrote:
> But you miss my point.  A lot of filetypes that file and magic detects
> is based on the same methodology and even though the odds could be
> against it, if it happens with the word "free" being in the fourth byte
> position, the same could occur with anything in the magic file when a
> text file is passed thru it.

I wouldn't call my standpoint missing the point exactly:-)
This is exactly why you should take a long hard think-session on
whether to use file/filtype checking at all.

> Plus the magic file is based off work and discovery of the internet
> community over many years.  If there was a better signature, I'm sure
> someone would have added it to the file.  At
> which is dated
> 12/20/2005 and the last comment line says "free" is the most common
> signature of a quicktime file.

Ah, yes... but the file command has a rather significant difference
when used as usually done, contra what it's like in MS... Namely a
human to interprete the results.... MS is a bit more ... litteral.

> Maybe a better question should whether the txt file that tnef extracts
> to msg-*.txt should even be passed thru file to avoid a misdiagnosis.
> That reduces the chances while maintaining a greater level of intended
> security wanted by the admin.
Perhaps, but if one wants filetype checks on all attachments, why
should these not be subject to the checks? One could easily envision
some crafty type exploiting such a "hole":-)...

> -----Original Message-----
> From: mailscanner-bounces at
> [mailto:mailscanner-bounces at] On Behalf Of Glenn
> Steen
> Sent: Tuesday, March 21, 2006 6:24 AM
> To: MailScanner discussion
> Subject: Re: Filetype/MailScanner bug
> On 21/03/06, Rose, Bobby <brose at> wrote:
> > Since the "Use TNEF Contents" function in the latest version, I've
> > come across a pseudo bug.  It's really not a bug since both file and
> > MailScanner are doing exactly what they're supposed to.
> >
> > If "Use TNEF Contents" is yes and a plain text message or rtf
> > formatted message is processed, there is a potential for file to
> > misinterpret a text message as an incorrect filetype because of string
> > of text being in the correct byte position that magic is expecting for
> > a particular filetype.
> >
> > It was stumbled upon by a one of our researchers who received a "No
> > QuickTime movies allowed (msg-19905-304.txt)" warning from mail
> server.
> > After investigation it turned out that the word "free" was in the 4th
> > byte position which is also a magic signature for quicktime.  I've
> > been able to dupe by sending a plain-text and an rtf formatted message
> > with
> > "RE: freezer emergency" as the first line in the message body.
> >
> > Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
> > without compromising security.  \.txt$ is allowed in my filenames rule
> > file so that currently can't be used to offset.
> >
> > -=Bobby
> Best "solution" (aside from not trusting file with this at all) is to
> make file better.... I'm sure you can improve on the simplistic "free in
> the fourth position" check.
> Or just reewmove that line from your magic file.
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se

-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list