RE: [Qmail-scanner-general]QS Vulnerability - Exploiting "No virus scan on plain text messages"

[Dallas L. Engelken]

> 
> 
> No I don't call it a vulnerability.  The skip_text_msgs 
> feature, intended to skip messages that just seem to be plain 
> text, improves performance by not scanning messages that 
> don't appear to have binary content.  Admittedly, yes, its 
> not perfect.  Not being a user of QSQ 1.2x, I don't know if 
> this feature is on by default.  Personally, I think this 
> feature should be off by default.
> 

It should be off by default until we can confirm that the tools being
used will do proper unpacking of these messages.  Also, everyone should
make sure they are on the latest version of ripmime or reformime... I'm
pretty sure I'm not and that may be my problem.

> Continuing on - QSQ uses reformime to pick apart the message. 
>  If reformime can't do it, its a problem with reformime, not 
> QSQ.  I'm sure the folks that handle reformime would like to 
> know about this and probably could come up with a solution.
> 

Just tested ripmime and it sees it..  

[EMAIL PROTECTED] tmp]# ripmime -v -imsg1
Decoding filename=textfile0_1
Decoding filename=Dad, Lavena, Alta.jpg
Decoding filename=textfile1_1
Decoding filename=Dad, Lavena, Alta.jpg

reformime does not.

[EMAIL PROTECTED] tmp]# reformime -i < msg1
section: 1
content-type: text/plain
content-transfer-encoding: 8bit
charset: iso-8859-1
starting-pos: 0
starting-pos-body: 771
ending-pos: 103899
line-count: 1693
body-line-count: 1677

I need to look at a new maildrop package... But I'm sure a lot of people
are like me and don't upgrade their supporting packages when they
upgrade their Q-S.  :)   I will try and get maildrop 1.6.3 installed
here in a bit and test further.

> The heads-up on skip_test_msgs is well noted, and I agree 
> with you that it should not be used.  I guess my definition 
> of a vlunerability is different than yours.  All of this is 
> beside the point; its not a bad feature, it was probably 
> requested or suggested and Jason Haar took considerable time 
> to write it in and test it, and I believe its working as 
> expected with respect to that if the utilities QSQ relies on 
> says the message is plain text, then it is plain text and not 
> waste time scanning for something that, by reasonable logic, 
> won't be there.  If the utilities are returning false 
> information, then its a problem with the utilities.
> 

Ok, so its an 'exploit' of a 'feature'.  I put that word in the title
too :)

I agree that it is a great feature to have.. I'd love to save some cpu
cycles my self.

> There's no need for debate on what is or isn't a 
> vulnerability (yes, my fault for proclaiming that its not - 
> thats why I'm stopping now), there's other forums better 
> suited for that debate.  I do, however, completely agree with 
> you: $skip_text_msgs should be turned off, and shouldn't be 
> enabled by default.  Case in point: Bagle-Q.  Bagle-Q sends 
> out e-mails with just some HTML that Sophos (and a few other 
> AVs) have definitions to detect but won't get scanned if 
> $skip_text_msgs is on.  By all reasonable logic, the message 
> is "plain text" and viruses aren't found in "plain text".  In 
> reality, we see this logic isn't completely accurate.
> 

Do you have a copy of this bagle-q that bypasses Q-S 1.21 that I can
test and figure out why?

Thx
d





-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general