Filetype/MailScanner bug
Rose, Bobby
brose at med.wayne.edu
Wed Mar 29 19:36:01 IST 2006
First, txt by default in MailScanner is an allowed filetype. Second, a
user can already do that with the thousands of extensions that are
allowed because you must explicitly denying the bad stuff in
MailScanner. So if a user wanted, they could rename the filename to
.??_ and it will pass.
This bug is not so much a problem with filenames. I'm just pointing out
that the filenames.conf entries don't override filetype.conf So the
tnef created "msg*.txt" files that can be misinterpretted by filetype as
Quicktime files can't be overridden. The only options are to allow
quicktime filetypes or disable the "Use TNEF Contents" option.
Note that the msg*.txt files are not being sent by the user. They are
created by MailScanner using the current "Use TNEF Contents" function.
So it would seem to be perfectly safe to say that since MailScanner
created that file based off of mime/text that it doesn't need to go thru
a filetype check.
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard
Frovarp
Sent: Wednesday, March 29, 2006 12:15 PM
To: MailScanner discussion
Subject: Re: Filetype/MailScanner bug
You are of course assuming that no one will ever try to sneak a unwanted
file type through by giving it a txt extension. The whole point of
checking file types is that you don't trust the extensions. A user could
change all of their files to have extensions of txt and get pass every
time.
Rose, Bobby wrote:
>I just had another message get misidentified by the new "Use TNEF
>Contents" option and filetype on the text part of the message that this
>function creates. No QuickTime movies allowed (msg-24987-72.txt)
>
>Yeh I could disable the new option, or change the magic file to remove
>quicktime signatures or even change the filetype.conf but then again
>that defeats the intended purpose of the new option and/or the blocking
>of quicktime filetypes. But it makes more sense to not be passing the
>msg.txt file created by the new function thru filetype. Plus,
>filename.conf entries don't seem to override filetype.conf entries as
>.txt is listed in the filename.conf by default.
>
>Bobby Rose
>
>
>
>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
>Bobby
>Sent: Monday, March 20, 2006 9:58 PM
>To: MailScanner discussion
>Subject: Filetype/MailScanner bug
>
>Since the "Use TNEF Contents" function in the latest version, I've come
>across a pseudo bug. It's really not a bug since both file and
>MailScanner are doing exactly what they're supposed to.
>
>If "Use TNEF Contents" is yes and a plain text message or rtf formatted
>message is processed, there is a potential for file to misinterpret a
>text message as an incorrect filetype because of string of text being
>in the correct byte position that magic is expecting for a particular
>filetype.
>
>It was stumbled upon by a one of our researchers who received a "No
>QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
>After investigation it turned out that the word "free" was in the 4th
>byte position which is also a magic signature for quicktime. I've been
>able to dupe by sending a plain-text and an rtf formatted message with
>"RE: freezer emergency" as the first line in the message body.
>
>Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
>without compromising security. \.txt$ is allowed in my filenames rule
>file so that currently can't be used to offset.
>
>-=Bobby
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!
>
>
>
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list