IMAP/SMTP file truncated with --block-size
2xyo opened this issue · 1 comments
2xyo commented
Embedded file is truncated when --block-size is used for IMAP and SMTP:
$ wget http://www.eicar.org/download/eicar.com.txt
$ file eicar.com.txt
eicar.com.txt: EICAR virus test files
$ ls -l eicar.com.txt
-rw-r--r-- 1 yo yo 68 Feb 21 13:06 eicar.com.txt
$ ./file2pcap --srcip 1.1.1.1 --dstip 2.2.2.2 -mi --block-size 1 eicar.com.txt
Writing to eicar.com.txt-imap.pcap
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 1.1.1.1:3605
Node 1: 2.2.2.2:143
150
* OK [CAPABILITY IMAP4REV1 I18NLEVEL=1 LITERAL+ SASL-IR LOGIN-REFERRALS] [10.10.5.140]
IMAP4rev1 2007e.404 at Tue, 9 Nov 2010 15:13:41 +0000 (WET)
23
A01 LOGIN user secret
<...redacted...>
--refeics-138facf0-915a-4457-8ff5-a6982ea42135
Content-Type: text/plain; charset=UTF-8
137
Descartes finishes up his meal at a restaurant. The waitress asks, "Would you like dessert?" He says, "I think not" and disappears.
130
--refeics-138facf0-915a-4457-8ff5-a6982ea42135
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=
13
eicar.com.txt
39
Content-Transfer-Encoding: base64
3
W
3
R
57
--refeics-138facf0-915a-4457-8ff5-a6982ea42135--
<...redacted...>
A09 OK Logout completed.
===================================================================
$ ./file2pcap --srcip 1.1.1.1 --dstip 2.2.2.2 -mi --block-size 67 eicar.com.txt
Writing to eicar.com.txt-imap.pcap
$ tshark -r eicar.com.txt-imap.pcap -q -z follow,tcp,ascii,0
<...redacted...>
Content-Transfer-Encoding: base64
69
WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJ
22
RVNULUZJTEUhJEgrSCo=
57
--refeics-138facf0-915a-4457-8ff5-a6982ea42135--
<...redacted...>
A09 OK Logout completed.
===================================================================
$ echo "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJRVNULUZJTEUhJEgrSCo=" |base64 -d
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRQT�
Q�SHI
�
base64: invalid input
whithout --block-size :
$ ./file2pcap --srcip 1.1.1.1 --dstip 2.2.2.2 -mi eicar.com.txt
Writing to eicar.com.txt-imap.pcap
$ tshark -r eicar.com.txt-imap.pcap -q -z follow,tcp,ascii,0
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 1.1.1.1:27827
Node 1: 2.2.2.2:143
150
* OK [CAPABILITY IMAP4REV1 I18NLEVEL=1 LITERAL+ SASL-IR LOGIN-REFERRALS] [10.10.5.140]
IMAP4rev1 2007e.404 at Tue, 9 Nov 2010 15:13:41 +0000 (WET)
23
A01 LOGIN user secret
<...redacted...>
--refeics-138facf0-915a-4457-8ff5-a6982ea42135
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=
13
eicar.com.txt
39
Content-Transfer-Encoding: base64
96
WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1U
RVNULUZJTEUhJEgrSCo=
57
--refeics-138facf0-915a-4457-8ff5-a6982ea42135--
)
<...redacted...>
A09 OK Logout completed.
===================================================================
$ echo "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=" |base64 -d |md5sum
44d88612fea8a8f36de82e1278abb02f -
$ md5sum eicar.com.txt
44d88612fea8a8f36de82e1278abb02f eicar.com.txtTalos-Martin commented
"Fixed" in 1.30. Disallowed --block-size for email protocols.