Filetype/MailScanner bug

Wed Mar 29 19:40:11 IST 2006

Rose, Bobby spake the following on 3/29/2006 10:36 AM:
> First, txt by default in MailScanner is an allowed filetype.  Second, a
> user can already do that with the thousands of extensions that are
> allowed because you must explicitly denying the bad stuff in
> MailScanner.  So if a user wanted, they could rename the filename to
> .??_ and it will pass.
> 
> This bug is not so much a problem with filenames.  I'm just pointing out
> that the filenames.conf entries don't override filetype.conf   So the
> tnef created "msg*.txt" files that can be misinterpretted by filetype as
> Quicktime files can't be overridden.  The only options are to allow
> quicktime filetypes or disable the "Use TNEF Contents" option.
> 
> Note that the msg*.txt files are not being sent by the user.  They are
> created by MailScanner using the current "Use TNEF Contents" function.
> So it would seem to be perfectly safe to say that since MailScanner
> created that file based off of mime/text that it doesn't need to go thru
> a filetype check.
> 
> 
>  
> 
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard
> Frovarp
> Sent: Wednesday, March 29, 2006 12:15 PM
> To: MailScanner discussion
> Subject: Re: Filetype/MailScanner bug
> 
> You are of course assuming that no one will ever try to sneak a unwanted
> file type through by giving it a txt extension. The whole point of
> checking file types is that you don't trust the extensions. A user could
> change all of their files to have extensions of txt and get pass every
> time.
> 
> Rose, Bobby wrote:
> 
>> I just had another message get misidentified by the new "Use TNEF 
>> Contents" option and filetype on the text part of the message that this
> 
>> function creates.  No QuickTime movies allowed (msg-24987-72.txt)
>>
>> Yeh I could disable the new option, or change the magic file to remove 
>> quicktime signatures or even change the filetype.conf but then again 
>> that defeats the intended purpose of the new option and/or the blocking
> 
>> of quicktime filetypes.  But it makes more sense to not be passing the 
>> msg.txt file created by the new function thru filetype.  Plus, 
>> filename.conf entries don't seem to override filetype.conf entries as 
>> .txt is listed in the filename.conf by default.
>>
>> Bobby Rose
>>
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose, 
>> Bobby
>> Sent: Monday, March 20, 2006 9:58 PM
>> To: MailScanner discussion
>> Subject: Filetype/MailScanner bug
>>
>> Since the "Use TNEF Contents" function in the latest version, I've come
> 
>> across a pseudo bug.  It's really not a bug since both file and 
>> MailScanner are doing exactly what they're supposed to.
>>
>> If "Use TNEF Contents" is yes and a plain text message or rtf formatted
> 
>> message is processed, there is a potential for file to misinterpret a 
>> text message as an incorrect filetype because of string of text being 
>> in the correct byte position that magic is expecting for a particular 
>> filetype.
>>
>> It was stumbled upon by a one of our researchers who received a "No 
>> QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
>> After investigation it turned out that the word "free" was in the 4th 
>> byte position which is also a magic signature for quicktime.  I've been
> 
>> able to dupe by sending a plain-text and an rtf formatted message with
>> "RE: freezer emergency" as the first line in the message body.
>>
>> Any ideas for a fix to have MailScanner ignore a misdiagnosis by file 
>> without compromising security.  \.txt$ is allowed in my filenames rule 
>> file so that currently can't be used to offset.
>>
>> -=Bobby
But I don't think Mailscanner creates these files from any sort of mime types,
it just extracts the files from the TNEF encoded part and re-attaches them. If
the file is wrong in the TNEF file, it will be the same in the new file.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!