Filetype/MailScanner bug
Dhawal Doshy
dhawal at netmagicsolutions.com
Wed Mar 29 20:39:28 IST 2006
Rose, Bobby writes:
> First, txt by default in MailScanner is an allowed filetype. Second, a
> user can already do that with the thousands of extensions that are
> allowed because you must explicitly denying the bad stuff in
> MailScanner. So if a user wanted, they could rename the filename to
> .??_ and it will pass.
>
> This bug is not so much a problem with filenames. I'm just pointing out
> that the filenames.conf entries don't override filetype.conf So the
> tnef created "msg*.txt" files that can be misinterpretted by filetype as
> Quicktime files can't be overridden. The only options are to allow
> quicktime filetypes or disable the "Use TNEF Contents" option.
>
> Note that the msg*.txt files are not being sent by the user. They are
> created by MailScanner using the current "Use TNEF Contents" function.
> So it would seem to be perfectly safe to say that since MailScanner
> created that file based off of mime/text that it doesn't need to go thru
> a filetype check.
Not the best option.. but why not have a ruleset to ignore filetype checks
from localhost (127.0.0.1)
I am assuming messages are re-injected in to the local queue after attaching
the msg*.txt
- dhawal
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Richard
> Frovarp
> Sent: Wednesday, March 29, 2006 12:15 PM
> To: MailScanner discussion
> Subject: Re: Filetype/MailScanner bug
>
> You are of course assuming that no one will ever try to sneak a unwanted
> file type through by giving it a txt extension. The whole point of
> checking file types is that you don't trust the extensions. A user could
> change all of their files to have extensions of txt and get pass every
> time.
>
> Rose, Bobby wrote:
>
>>I just had another message get misidentified by the new "Use TNEF
>>Contents" option and filetype on the text part of the message that this
>
>>function creates. No QuickTime movies allowed (msg-24987-72.txt)
>>
>>Yeh I could disable the new option, or change the magic file to remove
>>quicktime signatures or even change the filetype.conf but then again
>>that defeats the intended purpose of the new option and/or the blocking
>
>>of quicktime filetypes. But it makes more sense to not be passing the
>>msg.txt file created by the new function thru filetype. Plus,
>>filename.conf entries don't seem to override filetype.conf entries as
>>.txt is listed in the filename.conf by default.
>>
>>Bobby Rose
>>
>>
>>
>>-----Original Message-----
>>From: mailscanner-bounces at lists.mailscanner.info
>>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose,
>>Bobby
>>Sent: Monday, March 20, 2006 9:58 PM
>>To: MailScanner discussion
>>Subject: Filetype/MailScanner bug
>>
>>Since the "Use TNEF Contents" function in the latest version, I've come
>
>>across a pseudo bug. It's really not a bug since both file and
>>MailScanner are doing exactly what they're supposed to.
>>
>>If "Use TNEF Contents" is yes and a plain text message or rtf formatted
>
>>message is processed, there is a potential for file to misinterpret a
>>text message as an incorrect filetype because of string of text being
>>in the correct byte position that magic is expecting for a particular
>>filetype.
>>
>>It was stumbled upon by a one of our researchers who received a "No
>>QuickTime movies allowed (msg-19905-304.txt)" warning from mail server.
>>After investigation it turned out that the word "free" was in the 4th
>>byte position which is also a magic signature for quicktime. I've been
>
>>able to dupe by sending a plain-text and an rtf formatted message with
>>"RE: freezer emergency" as the first line in the message body.
>>
>>Any ideas for a fix to have MailScanner ignore a misdiagnosis by file
>>without compromising security. \.txt$ is allowed in my filenames rule
>>file so that currently can't be used to offset.
>>
>>-=Bobby
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
for the use of the addressee(s). If you are not the intended recipient,
please
notify the sender by e-mail requesting deletion of the original message.
Further, you are not to copy, disclose, or distribute this e-mail or its
contents to any other person and any such actions are unlawful. NetMagic
Solutions Pvt. Ltd. has taken every reasonable precaution to minimize the
risk
of virus infection & spam, but is not liable for any damage, you may sustain
as a result of any virus in this e-mail. You should carry out your own virus
checks before opening the e-mail or attachment. NetMagic Solutions Pvt. Ltd.
reserves the right to monitor and review the content of all messages sent to
or from this e-mail address.
Messages sent to or from this e-mail address may be stored on the NetMagic
Solutions Pvt. Ltd.'s e-mail system.
***************** End of Disclaimer *******************
More information about the MailScanner
mailing list