Re: [Qmail-scanner-general]QS Vulnerability - Exploiting "No virus scan on plain text messages"

Thu, 08 Apr 2004 10:56:28 -0700 

No I don't call it a vulnerability.  The skip_text_msgs feature, intended to
skip messages that just seem to be plain text, improves performance by not
scanning messages that don't appear to have binary content.  Admittedly,
yes, its not perfect.  Not being a user of QSQ 1.2x, I don't know if this
feature is on by default.  Personally, I think this feature should be off by
default.

Continuing on - QSQ uses reformime to pick apart the message.  If reformime
can't do it, its a problem with reformime, not QSQ.  I'm sure the folks that
handle reformime would like to know about this and probably could come up
with a solution.

The heads-up on skip_test_msgs is well noted, and I agree with you that it
should not be used.  I guess my definition of a vlunerability is different
than yours.  All of this is beside the point; its not a bad feature, it was
probably requested or suggested and Jason Haar took considerable time to
write it in and test it, and I believe its working as expected with respect
to that if the utilities QSQ relies on says the message is plain text, then
it is plain text and not waste time scanning for something that, by
reasonable logic, won't be there.  If the utilities are returning false
information, then its a problem with the utilities.

There's no need for debate on what is or isn't a vulnerability (yes, my
fault for proclaiming that its not - thats why I'm stopping now), there's
other forums better suited for that debate.  I do, however, completely agree
with you: $skip_text_msgs should be turned off, and shouldn't be enabled by
default.  Case in point: Bagle-Q.  Bagle-Q sends out e-mails with just some
HTML that Sophos (and a few other AVs) have definitions to detect but won't
get scanned if $skip_text_msgs is on.  By all reasonable logic, the message
is "plain text" and viruses aren't found in "plain text".  In reality, we
see this logic isn't completely accurate.

John Narron            | "Sacrifice, they always say
Network Administration |  Is a sign of nobility
CDS/CDSinet, LLC       |  But where does one draw the line
http://www.cdsinet.net |  In the face of injury?"
(660) 886 4045         |     - Queensryche

----- Original Message ----- 
From: "Dallas L. Engelken" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 08, 2004 11:59 AM
Subject: RE: [Qmail-scanner-general]QS Vulnerability - Exploiting "No virus
scan on plain text messages"


>
> I wouldn't necessarily call this a vulnerability.  I ran into
> this when writting the Regex Scanner for QSQ.  Find
> $skip_text_msgs and set it to 0 so that all e-mails,
> including plain text, are scanned.
>
> This only applies to the 1.2x versions, 1.1x don't have this feature.
>

You don't call this a vuilnerability???  What happens when the next
virus outbreak comes in as inline uuencoded attachments  instead of a
jpeg like in my example and QS doesn't run virus scans on them because
the message is plain text?    Reformime wont even blow these messages
apart...

[EMAIL PROTECTED] tmp]# reformime -i < msg1
section: 1
content-type: text/plain
content-transfer-encoding: 8bit
charset: iso-8859-1
starting-pos: 0
starting-pos-body: 771
ending-pos: 103899
line-count: 1693
body-line-count: 1677

So perlscanner will not help you when you try and block .pif or .exe
that are embedded inline...

I did not try ripmime to see if it pulls the inline uuencoding.

I know how to fix the damn thing..  But I really don't care at this
point because like I said, I don't use it yet.   I guess I just like to
look at code before throwing it onto something.

I just want everyone else to know that this is a problem with Q-S that
needs to be addressed before it is used in production environment.

Dallas




-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=ick
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to