You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-user@james.apache.org by "Noel J. Bergman" <no...@devtech.com> on 2003/06/21 18:07:29 UTC

Virus scanning (was RE: Matchers & X Window)

Danny,

Imagine a .EXE/.COM program that was infected, but didn't carry the actual
payload.  The payload is in a separate image attachment, hoping to sneak
through.  The anti-virus scan doesn't see the signature in the executable,
doesn't scan the image, the virus boot then loads the payload from the image
(don't you hate untrusted code being able to mark pages executable?), and
the virus is activated.

I would check MIME type, file extension, and most importantly the magic, to
make sure that they all match.  Any failure to match would be suspect,
regardless of what the A/V program says.  I think you misunderstood my
earlier point.  In fairness, it wasn't clear as I had stated it.

	--- Noel

-----Original Message-----
From: Danny Angus [mailto:danny@apache.org]
Sent: Saturday, June 21, 2003 11:31
To: James Users List
Subject: RE: Matchers & X Window


As this is Vincezo's code and not James' this rant is just my 2c..

I'm not sure that omitting to scan *any* part is a good idea.

I know this isn't apache software, but if it was I'd veto introducing any
security loophole based on hearsay or speculation and not published
research.

Unless you guys know a lot more than me about virus detection I don't see
how you can confidently predict what might be carrying a dangerous payload,
just because it looks tastes and smells like an image doesn't mean that it
is.

Isn't that the virus writers idea to slip a payload through your security
masquerading as innocent data. Just because *we* can't see what
harm it would cause doesn't mean that it really is benign. Surely the reason
why virus detection co's recommends you regularly scan everything, Norton AV
scans gifs on my hd.

I don't pretend to know much about it but you don't have to speculate much
either to work out what would happen if binary data could be slipped through
in mail as a .gif and somehow activated by some other exploit.

If there are issues with certain mime types then that is a bug that needs
fixed for security reasons, and not something we should even consider
working around if it is going to produce a loophole, however small, in the
AV scanning.

As far as I can make out it is the attitude in resolving conflict that
functionality is more important than security which gives M$ such a hard
time.

I urge caution.

d.


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Virus scanning (was RE: Matchers & X Window)

Posted by "Noel J. Bergman" <no...@devtech.com>.

> Try telling a Mac-user (or a Unix-user) that he *must* put a
> file-extension on the filename ;-)

If there isn't an extension, then it doesn't need to match.  :-)

> As far as I know, only Windows and VMS require a file extension in the
> filename.

Actually, that's part of the problem.  Although the "front end" of Windows
cares about extensions, if I recall correctly, the loader only cares about
the file format.  For example, you could hack the registry to and create a
new executable file extension fairly easily.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

Re: Virus scanning (was RE: Matchers & X Window)

Posted by tobe <to...@swipnet.se>.

Noel J. Bergman wrote:

>>>I would check MIME type, file extension, and most importantly the
>>>magic, to make sure that they all match.  Any failure to match
>>>would be suspect, regardless of what the A/V program says.  I
>>>think you misunderstood my earlier point.
>>>      
>>>
>
>  
>
>>In truth I must have done, I *still* wouldn't like to trust that those
>>things weren't being hijacked though, even the magic.
>>    
>>
>
>Exactly.  So if an attachment has MIME type T then it should have one of the
>known extensions for MIME type T and it should have the correct magic.  That
>way if an attachment claims to be MIME type "image/jpeg", then it must have
>an extension of .jpeg, jpg or jpe, [snip]
>  
>
Try telling a Mac-user (or a Unix-user) that he *must* put a 
file-extension on the filename ;-)
As far as I know, only Windows and VMS require a file extension in the 
filename.

But I think we are all talking about the same thing, all parts have to 
be scanned, and a general mailet should not (even cannot) have any 
knowledge of the specifics of it.

/tobe



---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: filetype magic

Posted by "Noel J. Bergman" <no...@devtech.com>.

> you could get bytes into a machine in the guise of the image bytes of a
gif or jpeg.
> there could still be uses for it *IF* it became a way round anti-virus
software.

Yes, but the way I've suggested using it was as suppliment to a/v software,
not a replacement.  Any mismatch would be a rejection, but a positive match
doesn't imply a free ride.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: filetype magic

Posted by Danny Angus <da...@apache.org>.

>  Faking to be a desirable type won't achieve the
> goal.  It would just be a corrupt file.

No it wouldn't, you could get bytes into a machine in the guise of the image bytes of a gif or jpeg.
OK thats not executable, but there could still be uses for it *IF* it became a way round anti-virus software.

d.

RE: filetype magic

Posted by "Noel J. Bergman" <no...@devtech.com>.

> I feel compelled to mention that magic is only ever an informed guess,
> and I'm convinced that faking magic isn't beyond the ability of smart
> bad people, if theres a gain to be made.

True.  But what would be the point?  Faking to be an undesirable type would
be counter-productive.  Faking to be a desirable type won't achieve the
goal.  It would just be a corrupt file.

As I see it, checking the magic is just one way to keep someone from
slipping an executable in under the guise of a benign attachment.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

filetype magic

Posted by Danny Angus <da...@apache.org>.

I feel compelled to mention that magic is only ever an informed guess, and I'm convinced that faking magic isn't beyond the ability of smart bad people, if theres a gain to be made.


> > After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC
> > link I see what it is all about.
> 
> For those who don't understand, yet, this might help:
> 
>   http://www.halley.cc/ed/linux/newcomer/filename.html

RE: Virus scanning (was RE: Matchers & X Window)

Posted by "Noel J. Bergman" <no...@devtech.com>.

> After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC
> link I see what it is all about.

For those who don't understand, yet, this might help:

  http://www.halley.cc/ed/linux/newcomer/filename.html

> is there any formal or informal organization that keeps a list
> like that up to date?

Christos Zoulas (christos astron com) is the current maintainer.  The latest
code is available from ftp://ftp.astron.com/pub/file.

> 1) Should a mailet or a matcher like IsInfected scan everything or not.

> if the A/V program like MCAfee's Virusscan allows the user to choose
> whether or not scan everything or just "dangerous" extensions or
> choosen extensions, it is up to the user.

Agreed.  But as Danny says, if there were a virus scanner as part of the
James distribution, the default should be as strict as possible.  I suggest
that you consider doing the same in your examples, although hopefully your
legal liability is limited in Italy.

> 2) Should it identify "malformations" in a message, including innocent
> or "guilty" alterations of the extension / MIME type / magic matching,
> but not excluding other checks.

> should be done in a kind of IsMalformed matcher or CheckCompliance mailet

And can be done in native Java code, if someone does the port, without
having to go through the overhead involved in the external anti-virus scan.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Virus scanning (was RE: Matchers & X Window)

Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.

After reading your http://www.alaska.net/~royce/pub/solaris/MAGIC link I see what it is all about. But is there any formal or informal organization that keeps a list like that up to date?

Regarding the discussion on this thread, I think that there are two different issues here:

1) Should a mailet or a matcher like IsInfected scan everything or not.

2) Should it identify "malformations" in a message, including innocent or "guilty" alterations of the extension / MIME type / magic matching, but not excluding other checks.

Regarding point 1), as a user I prefer to scan everything, but if the A/V program like MCAfee's Virusscan allows the user to choose whether or not scan everything or just "dangerous" extensions or choosen extensions, it is up to the user. As the matcher/mailet has to offload the attachment to a directory to have the A/V do that, having it look at the extension is only a matter of performance (why offload a JPEG if later on I ask the A/V to ignore it?). Currently IsInfected offloads everything and what to do is left to the command line string passed to the A/V, so I think it is safe and could be made more performing.

Point 2) instead should be done in a kind of IsMalformed matcher or CheckCompliance mailet, whose outcome can be used in config.xml to take an appropriate action. As its operation could require an overhead already used in the IsInfected or equivalent matcher or mailet, it is again only a matter of performance doing such work only once while scanning for viruses.

Vincenzo

> -----Original Message-----
> From: Vincenzo Gianferrari Pini
> [mailto:vincenzo.gianferraripini@praxis.it]
> Sent: domenica 22 giugno 2003 10.23
> To: James Users List
> Subject: RE: Virus scanning (was RE: Matchers & X Window)
> 
> 
> This "magic number" topic is quite new to me :-)
> 
> I've looked aroung with Google, but didn't find any link really 
> explaining what it's all about. Do you have any good one to suggest?
> 
> Thanks,
> 
> Vincenzo
> 
> > -----Original Message-----
> > From: Noel J. Bergman [mailto:noel@devtech.com]
> > Sent: domenica 22 giugno 2003 1.01
> > To: James Users List
> > Subject: RE: Virus scanning (was RE: Matchers & X Window)
> > 
> > 
> > > > I would check MIME type, file extension, and most importantly the
> > > > magic, to make sure that they all match.  Any failure to match
> > > > would be suspect, regardless of what the A/V program says.  I
> > > > think you misunderstood my earlier point.
> > 
> > > In truth I must have done, I *still* wouldn't like to trust that those
> > > things weren't being hijacked though, even the magic.
> > 
> > Exactly.  So if an attachment has MIME type T then it should have 
> > one of the
> > known extensions for MIME type T and it should have the correct 
> > magic.  That
> > way if an attachment claims to be MIME type "image/jpeg", then it 
> > must have
> > an extension of .jpeg, jpg or jpe, AND have a magic value of
> > 0xFFD8FFE0JFIF0x00.  If it has a magic value of something else, e.g.,
> > 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus
> > scan*.  A simple set of magic is:
> > 
> > 	Format		Magic
> > 	PNG			0xD3PNG
> > 	GIF			GIF89a
> > 	JPEG			0xFFD8FFE0JFIF0x00
> > 	ELF			0x7FELF
> > 	Windows .EXE	MZ
> > 
> > /usr/share/[misc/]magic has a collected set to use with the file command
> > (Windows users, see: 
> http://www.alaska.net/~royce/pub/solaris/MAGIC).  The
> > pertinent aspects of the file command could be re-implemented in Java.
> > 
> > The purpose would be to prevent someone from slipping an 
> > executable by as a
> > non-executable, since most operating systems load by magic, not 
> > extension or
> > MIME type.
> > 
> > 	--- Noel
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: james-user-help@jakarta.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Virus scanning (was RE: Matchers & X Window)

Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.

This "magic number" topic is quite new to me :-)

I've looked aroung with Google, but didn't find any link really explaining what it's all about. Do you have any good one to suggest?

Thanks,

Vincenzo

> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: domenica 22 giugno 2003 1.01
> To: James Users List
> Subject: RE: Virus scanning (was RE: Matchers & X Window)
> 
> 
> > > I would check MIME type, file extension, and most importantly the
> > > magic, to make sure that they all match.  Any failure to match
> > > would be suspect, regardless of what the A/V program says.  I
> > > think you misunderstood my earlier point.
> 
> > In truth I must have done, I *still* wouldn't like to trust that those
> > things weren't being hijacked though, even the magic.
> 
> Exactly.  So if an attachment has MIME type T then it should have 
> one of the
> known extensions for MIME type T and it should have the correct 
> magic.  That
> way if an attachment claims to be MIME type "image/jpeg", then it 
> must have
> an extension of .jpeg, jpg or jpe, AND have a magic value of
> 0xFFD8FFE0JFIF0x00.  If it has a magic value of something else, e.g.,
> 0x7FELF or MZ, then it should be rejected *regardless of the anti-virus
> scan*.  A simple set of magic is:
> 
> 	Format		Magic
> 	PNG			0xD3PNG
> 	GIF			GIF89a
> 	JPEG			0xFFD8FFE0JFIF0x00
> 	ELF			0x7FELF
> 	Windows .EXE	MZ
> 
> /usr/share/[misc/]magic has a collected set to use with the file command
> (Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC).  The
> pertinent aspects of the file command could be re-implemented in Java.
> 
> The purpose would be to prevent someone from slipping an 
> executable by as a
> non-executable, since most operating systems load by magic, not 
> extension or
> MIME type.
> 
> 	--- Noel
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: james-user-help@jakarta.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Virus scanning (was RE: Matchers & X Window)

Posted by "Noel J. Bergman" <no...@devtech.com>.

> > I would check MIME type, file extension, and most importantly the
> > magic, to make sure that they all match.  Any failure to match
> > would be suspect, regardless of what the A/V program says.  I
> > think you misunderstood my earlier point.

> In truth I must have done, I *still* wouldn't like to trust that those
> things weren't being hijacked though, even the magic.

Exactly.  So if an attachment has MIME type T then it should have one of the
known extensions for MIME type T and it should have the correct magic.  That
way if an attachment claims to be MIME type "image/jpeg", then it must have
an extension of .jpeg, jpg or jpe, AND have a magic value of
0xFFD8FFE0JFIF0x00.  If it has a magic value of something else, e.g.,
0x7FELF or MZ, then it should be rejected *regardless of the anti-virus
scan*.  A simple set of magic is:

	Format		Magic
	PNG			0xD3PNG
	GIF			GIF89a
	JPEG			0xFFD8FFE0JFIF0x00
	ELF			0x7FELF
	Windows .EXE	MZ

/usr/share/[misc/]magic has a collected set to use with the file command
(Windows users, see: http://www.alaska.net/~royce/pub/solaris/MAGIC).  The
pertinent aspects of the file command could be re-implemented in Java.

The purpose would be to prevent someone from slipping an executable by as a
non-executable, since most operating systems load by magic, not extension or
MIME type.

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: james-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: james-user-help@jakarta.apache.org

RE: Virus scanning (was RE: Matchers & X Window)

Posted by Danny Angus <da...@apache.org>.

Noel,

Yeah thats exactly the kind of thing, now I think of it.

d.

> I would check MIME type, file extension, and most importantly the 
> magic, to
> make sure that they all match.  Any failure to match would be suspect,
> regardless of what the A/V program says.  I think you misunderstood my
> earlier point.

In truth I must have done, I *still* wouldn't like to trust that those things weren't being hijacked though, even the magic.

Or I should say that I might take that decision/risk for myself but wouldn't want to release software that contained the assumtion, particularly not anti-virus software.

d.