e3aaff8e |
/* |
e6b09cf9 |
* Copyright (C) 2002 - 2005 Tomasz Kojm <tkojm@clamav.net> |
e3aaff8e |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
|
6d6e8271 |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
e3aaff8e |
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h> |
a7f5fd00 |
#include <unistd.h> |
15edd45f |
#include <sys/param.h> |
e3aaff8e |
#include <fcntl.h>
#include <dirent.h> |
d66387b9 |
#include <netinet/in.h>
|
e3aaff8e |
|
888f5794 |
#if HAVE_MMAP
#if HAVE_SYS_MMAN_H
#include <sys/mman.h>
#else /* HAVE_SYS_MMAN_H */
#undef HAVE_MMAP
#endif
#endif
|
414abe87 |
#include <mspack.h>
extern short cli_leavetemps_flag;
|
bbd2d959 |
extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME */ |
8000d078 |
|
e3aaff8e |
#include "clamav.h"
#include "others.h" |
85dd8460 |
#include "scanners.h" |
8000d078 |
#include "matcher-ac.h"
#include "matcher-bm.h" |
e3aaff8e |
#include "matcher.h" |
478ce4b2 |
#include "unrar.h" |
47bbbc56 |
#include "ole2_extract.h"
#include "vba_extract.h" |
341e5433 |
#include "msexpand.h" |
a5373b64 |
#include "chmunpack.h" |
a9082ea2 |
#include "pe.h" |
888f5794 |
#include "filetypes.h"
#include "htmlnorm.h" |
2b259453 |
#include "untar.h" |
c3a3be2d |
#include "special.h" |
6a31c2b4 |
#include "binhex.h" |
e3aaff8e |
#ifdef HAVE_ZLIB_H
#include <zlib.h>
#include <zzip.h>
#endif
#ifdef HAVE_BZLIB_H
#include <bzlib.h>
#endif
|
2bb229f6 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2)
#include <limits.h> |
88794204 |
#include <stddef.h> |
2bb229f6 |
#endif
|
15edd45f |
/* Maximum filenames under various systems - njh */
#ifndef NAME_MAX /* e.g. Linux */
# ifdef MAXNAMELEN /* e.g. Solaris */
# define NAME_MAX MAXNAMELEN
# else
# ifdef FILENAME_MAX /* e.g. SCO */
# define NAME_MAX FILENAME_MAX |
3d42cc7a |
# else
# define NAME_MAX 256 |
15edd45f |
# endif
# endif
#endif |
2bb229f6 |
|
3805ebcb |
#define SCAN_ARCHIVE (options & CL_SCAN_ARCHIVE)
#define SCAN_MAIL (options & CL_SCAN_MAIL)
#define SCAN_OLE2 (options & CL_SCAN_OLE2)
#define SCAN_HTML (options & CL_SCAN_HTML)
#define SCAN_PE (options & CL_SCAN_PE)
#define DISABLE_RAR (options & CL_SCAN_DISABLERAR) |
08d6b1e3 |
#define DETECT_ENCRYPTED (options & CL_SCAN_BLOCKENCRYPTED) |
3805ebcb |
#define BLOCKMAX (options & CL_SCAN_BLOCKMAX) |
6d6e8271 |
|
03a2d04a |
#define MAX_MAIL_RECURSION 15 |
e3aaff8e |
|
33f89aa5 |
static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec); |
e3aaff8e |
|
478ce4b2 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec); |
4048c4f6 |
|
27c0b825 |
/* |
e3aaff8e |
#ifdef CL_THREAD_SAFE |
68a6f51f |
static void cli_unlock_mutex(void *mtx) |
e3aaff8e |
{
cli_dbgmsg("Pthread cancelled. Unlocking mutex.\n");
pthread_mutex_unlock(mtx);
}
#endif |
27c0b825 |
*/ |
e3aaff8e |
|
33f89aa5 |
static int cli_scanrar(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{ |
33f89aa5 |
int fd, ret = CL_CLEAN; |
478ce4b2 |
unsigned int files = 0;
rar_metadata_t *metadata, *metadata_tmp; |
a62ae54f |
struct cli_meta_node *mdata; |
478ce4b2 |
char *dir; |
e3aaff8e |
|
2b259453 |
cli_dbgmsg("in scanrar()\n"); |
e3aaff8e |
|
478ce4b2 |
/* generate the temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("RAR: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR; |
e3aaff8e |
}
|
478ce4b2 |
metadata = metadata_tmp = cli_unrar(desc, dir, limits); |
b5f8af0d |
|
478ce4b2 |
if(cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) {
ret = CL_VIRUS;
} else while(metadata) { |
a62ae54f |
files++;
|
478ce4b2 |
cli_dbgmsg("RAR: %s, crc32: 0x%x, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n",
metadata->filename, metadata->crc, metadata->encrypted, metadata->pack_size,
metadata->unpack_size, metadata->method,
metadata->pack_size ? ((unsigned int) metadata->unpack_size / (unsigned int) metadata->pack_size) : 0, limits ? limits->maxratio : 0); |
a62ae54f |
/* Scan metadata */
mdata = root->rar_mlist;
if(mdata) do { |
478ce4b2 |
if(mdata->encrypted != metadata->encrypted) |
a62ae54f |
continue;
|
478ce4b2 |
if(mdata->crc32 && (unsigned int) mdata->crc32 != metadata->crc) |
a62ae54f |
continue;
|
478ce4b2 |
if(mdata->csize > 0 && (unsigned int) mdata->csize != metadata->pack_size) |
a62ae54f |
continue;
|
478ce4b2 |
if(mdata->size >= 0 && (unsigned int) mdata->size != metadata->unpack_size) |
a62ae54f |
continue;
|
478ce4b2 |
if(mdata->method && mdata->method != metadata->method) |
a62ae54f |
continue;
if(mdata->fileno && mdata->fileno != files)
continue;
|
33f89aa5 |
if(mdata->maxdepth && arec > mdata->maxdepth) |
a62ae54f |
continue;
/* TODO add support for regex */
/*if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/ |
478ce4b2 |
if(mdata->filename && strcmp(metadata->filename, mdata->filename)) |
a62ae54f |
continue;
break; /* matched */
} while((mdata = mdata->next));
if(mdata) {
*virname = mdata->virname;
ret = CL_VIRUS;
break;
}
|
478ce4b2 |
if(DETECT_ENCRYPTED && metadata->encrypted) { |
2b259453 |
cli_dbgmsg("RAR: Encrypted files found in archive.\n"); |
32c970f8 |
lseek(desc, 0, SEEK_SET); |
3862f7e1 |
ret = cli_scandesc(desc, virname, scanned, root, 0, 0);
if(ret < 0) {
break;
} else if(ret != CL_VIRUS) { |
32c970f8 |
*virname = "Encrypted.RAR"; |
3862f7e1 |
ret = CL_VIRUS;
} |
dfe7ca62 |
break;
} |
e3aaff8e |
|
478ce4b2 |
/*
TROG - TODO: multi-volume files |
c464b15f |
if((rarlist->item.Flags & 0x03) != 0) { |
478ce4b2 |
cli_dbgmsg("RAR: Skipping %s (split)\n", rarlist->item.Name); |
c464b15f |
rarlist = rarlist->next;
continue;
} |
478ce4b2 |
*/ |
e3aaff8e |
if(limits) { |
478ce4b2 |
if(limits->maxratio && metadata->unpack_size && metadata->pack_size) {
if((unsigned int) metadata->unpack_size / (unsigned int) metadata->pack_size >= limits->maxratio) {
cli_dbgmsg("RAR: Max ratio reached (normal: %u, compressed: %u, max: %ld)\n", metadata->unpack_size,
metadata->pack_size, limits->maxratio); |
d272908a |
*virname = "Oversized.RAR";
ret = CL_VIRUS;
break;
}
}
|
478ce4b2 |
if(limits->maxfilesize && (metadata->unpack_size > (unsigned int) limits->maxfilesize)) {
cli_dbgmsg("RAR: %s: Size exceeded (%u, max: %lu)\n", metadata->filename,
metadata->unpack_size, limits->maxfilesize); |
d272908a |
if(BLOCKMAX) {
*virname = "RAR.ExceededFileSize";
ret = CL_VIRUS;
break;
} |
478ce4b2 |
metadata = metadata->next; |
e3aaff8e |
continue;
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("RAR: Files limit reached (max: %d)\n", limits->maxfiles); |
d272908a |
if(BLOCKMAX) {
*virname = "RAR.ExceededFilesLimit";
ret = CL_VIRUS;
break;
} |
e3aaff8e |
break;
}
}
|
478ce4b2 |
metadata = metadata->next;
} |
e3aaff8e |
|
478ce4b2 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
e3aaff8e |
|
478ce4b2 |
free(dir);
metadata = metadata_tmp;
while (metadata) {
metadata_tmp = metadata->next;
free(metadata->filename);
free(metadata);
metadata = metadata_tmp; |
e3aaff8e |
} |
2b259453 |
cli_dbgmsg("RAR: Exit code: %d\n", ret); |
7761c6eb |
|
e3aaff8e |
return ret;
}
#ifdef HAVE_ZLIB_H |
33f89aa5 |
static int cli_scanzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{
ZZIP_DIR *zdir;
ZZIP_DIRENT zdirent;
ZZIP_FILE *zfp; |
fc56deed |
FILE *tmp = NULL; |
f7148839 |
char *buff; |
33f89aa5 |
int fd, bytes, ret = CL_CLEAN;
unsigned int files = 0, encrypted; |
fc56deed |
struct stat source; |
a62ae54f |
struct cli_meta_node *mdata; |
ee039e40 |
zzip_error_t err; |
e3aaff8e |
|
2b259453 |
cli_dbgmsg("in scanzip()\n"); |
e3aaff8e |
|
049a18b9 |
if((zdir = zzip_dir_fdopen(dup(desc), &err)) == NULL) { |
2b259453 |
cli_dbgmsg("Zip: Not supported file format ?.\n");
cli_dbgmsg("Zip: zzip_dir_fdopen() return code: %d\n", err); |
77be7ea9 |
/* no return with CL_EZIP due to password protected zips */
return CL_CLEAN; |
e3aaff8e |
}
|
fc56deed |
fstat(desc, &source);
|
33f40ee5 |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
2b259453 |
cli_dbgmsg("Zip: unable to malloc(%d)\n", FILEBUFF); |
33f40ee5 |
zzip_dir_close(zdir);
return CL_EMEM;
}
|
e3aaff8e |
while(zzip_dir_read(zdir, &zdirent)) { |
19e2ac07 |
files++; |
fc56deed |
if(!zdirent.d_name || !strlen(zdirent.d_name)) { /* Mimail fix */ |
2b259453 |
cli_dbgmsg("Zip: strlen(zdirent.d_name) == %d\n", strlen(zdirent.d_name)); |
161bcf76 |
*virname = "Suspect.Zip"; |
fc56deed |
ret = CL_VIRUS;
break;
}
|
5e0d3ebc |
/* Bit 0: file is encrypted
* Bit 6: Strong encryption was used
* Bit 13: Encrypted central directory
*/
encrypted = (zdirent.d_flags & 0x2041 != 0); |
e5916a51 |
|
33f89aa5 |
cli_dbgmsg("Zip: %s, crc32: 0x%x, encrypted: %d, compressed: %u, normal: %u, method: %d, ratio: %d (max: %d)\n", zdirent.d_name, zdirent.d_crc32, encrypted, zdirent.d_csize, zdirent.st_size, zdirent.d_compr, zdirent.d_csize ? (zdirent.st_size / zdirent.d_csize) : 0, limits ? limits->maxratio : 0); |
fc56deed |
|
0c9d7f15 |
if(!zdirent.st_size) { |
d3779101 |
if(zdirent.d_crc32) {
cli_dbgmsg("Zip: Broken file or modified information in local header part of archive\n"); |
161bcf76 |
*virname = "Exploit.Zip.ModifiedHeaders"; |
d3779101 |
ret = CL_VIRUS;
break;
} |
e3aaff8e |
continue;
}
|
e5916a51 |
/* Scan metadata */
mdata = root->zip_mlist; |
1de1c2b8 |
if(mdata) do { |
e5916a51 |
if(mdata->encrypted != encrypted)
continue;
|
33f89aa5 |
if(mdata->crc32 && mdata->crc32 != (unsigned int) zdirent.d_crc32) |
e5916a51 |
continue;
if(mdata->csize > 0 && mdata->csize != zdirent.d_csize)
continue;
if(mdata->size >= 0 && mdata->size != zdirent.st_size)
continue;
|
33f89aa5 |
if(mdata->method && mdata->method != (unsigned int) zdirent.d_compr) |
e5916a51 |
continue;
|
19e2ac07 |
if(mdata->fileno && mdata->fileno != files)
continue;
|
33f89aa5 |
if(mdata->maxdepth && arec > mdata->maxdepth) |
19e2ac07 |
continue;
/* TODO add support for regex */ |
e5916a51 |
/*if(mdata->filename && !strstr(zdirent.d_name, mdata->filename))*/
if(mdata->filename && strcmp(zdirent.d_name, mdata->filename))
continue;
break; /* matched */
} while((mdata = mdata->next));
if(mdata) {
*virname = mdata->virname;
ret = CL_VIRUS;
break;
}
|
ba5d2f0b |
/*
* Workaround for archives created with ICEOWS.
* ZZIP_DIRENT does not contain information on file type
* so we try to determine a directory via a filename
*/
if(zdirent.d_name[strlen(zdirent.d_name) - 1] == '/') {
cli_dbgmsg("Zip: Directory entry with st_size != 0\n");
continue;
}
|
e3aaff8e |
/* work-around for problematic zips (zziplib crashes with them) */ |
19ca43de |
if(zdirent.d_csize <= 0 || zdirent.st_size < 0) { |
2b259453 |
cli_dbgmsg("Zip: Malformed archive detected.\n"); |
161bcf76 |
*virname = "Suspect.Zip"; |
fc56deed |
ret = CL_VIRUS; |
e3aaff8e |
break;
}
|
19ca43de |
if(limits && limits->maxratio > 0 && ((unsigned) zdirent.st_size / (unsigned) zdirent.d_csize) >= limits->maxratio) {
*virname = "Oversized.Zip";
ret = CL_VIRUS;
break;
}
|
e5916a51 |
if(DETECT_ENCRYPTED && encrypted) { |
2b259453 |
cli_dbgmsg("Zip: Encrypted files found in archive.\n"); |
32c970f8 |
lseek(desc, 0, SEEK_SET); |
3862f7e1 |
ret = cli_scandesc(desc, virname, scanned, root, 0, 0);
if(ret < 0) {
break;
} else if(ret != CL_VIRUS) { |
32c970f8 |
*virname = "Encrypted.Zip"; |
3862f7e1 |
ret = CL_VIRUS;
} |
0f34221a |
break;
}
|
e3aaff8e |
if(limits) { |
33f89aa5 |
if(limits->maxfilesize && ((unsigned int) zdirent.st_size > limits->maxfilesize)) { |
2b259453 |
cli_dbgmsg("Zip: %s: Size exceeded (%d, max: %ld)\n", zdirent.d_name, zdirent.st_size, limits->maxfilesize); |
6ccc6990 |
/* ret = CL_EMAXSIZE; */ |
d272908a |
if(BLOCKMAX) {
*virname = "Zip.ExceededFileSize";
ret = CL_VIRUS;
break;
}
continue; /* continue scanning */ |
e3aaff8e |
}
if(limits->maxfiles && (files > limits->maxfiles)) {
cli_dbgmsg("Zip: Files limit reached (max: %d)\n", limits->maxfiles); |
d272908a |
if(BLOCKMAX) {
*virname = "Zip.ExceededFilesLimit";
ret = CL_VIRUS;
break;
} |
e3aaff8e |
break;
}
}
|
c4098620 |
if((zfp = zzip_file_open(zdir, zdirent.d_name, 0)) == NULL) {
cli_dbgmsg("Zip: Can't open file %s\n", zdirent.d_name);
ret = CL_EZIP;
break;
}
|
e3aaff8e |
/* generate temporary file and get its descriptor */
if((tmp = tmpfile()) == NULL) { |
2b259453 |
cli_dbgmsg("Zip: Can't generate tmpfile().\n"); |
bde7f6d1 |
zzip_file_close(zfp); |
fc56deed |
ret = CL_ETMPFILE;
break; |
e3aaff8e |
}
|
f7148839 |
while((bytes = zzip_file_read(zfp, buff, FILEBUFF)) > 0) { |
467f8b1e |
if(fwrite(buff, 1, bytes, tmp) != (size_t) bytes) { |
2b259453 |
cli_dbgmsg("Zip: Can't write to file.\n"); |
e3aaff8e |
zzip_file_close(zfp); |
33f40ee5 |
zzip_dir_close(zdir);
fclose(tmp); |
f7148839 |
free(buff); |
c4098620 |
return CL_EIO; |
e3aaff8e |
}
}
zzip_file_close(zfp);
|
cdb0ae9c |
if(fflush(tmp) != 0) { |
2b259453 |
cli_dbgmsg("Zip: fflush() failed: %s\n", strerror(errno)); |
fc56deed |
ret = CL_EFSYNC;
break; |
e3aaff8e |
}
|
cdb0ae9c |
fd = fileno(tmp);
|
e3aaff8e |
lseek(fd, 0, SEEK_SET); |
22275b15 |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
2b259453 |
cli_dbgmsg("Zip: Infected with %s\n", *virname); |
e3aaff8e |
ret = CL_VIRUS;
break;
} else if(ret == CL_EMALFZIP) { |
2b259453 |
cli_dbgmsg("Zip: Malformed Zip file, scanning stopped.\n"); |
161bcf76 |
*virname = "Suspect.Zip"; |
e3aaff8e |
ret = CL_VIRUS;
break;
}
|
cdb0ae9c |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
e3aaff8e |
}
zzip_dir_close(zdir); |
cdb0ae9c |
if (tmp) {
fclose(tmp);
tmp = NULL;
} |
33f40ee5 |
free(buff); |
e3aaff8e |
return ret;
}
|
33f89aa5 |
static int cli_scangzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN; |
33f89aa5 |
unsigned long int size = 0; |
f7148839 |
char *buff; |
fc56deed |
FILE *tmp = NULL; |
e3aaff8e |
gzFile gd;
|
fc56deed |
cli_dbgmsg("in cli_scangzip()\n");
|
e3aaff8e |
if((gd = gzdopen(dup(desc), "rb")) == NULL) { |
2b259453 |
cli_dbgmsg("GZip: Can't open descriptor %d\n", desc); |
e3aaff8e |
return CL_EGZIP;
}
if((tmp = tmpfile()) == NULL) { |
2b259453 |
cli_dbgmsg("GZip: Can't generate temporary file.\n"); |
e3aaff8e |
gzclose(gd);
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
fc56deed |
if(!(buff = (char *) cli_malloc(FILEBUFF))) { |
2b259453 |
cli_dbgmsg("GZip: Unable to malloc %d bytes.\n", FILEBUFF); |
fc56deed |
gzclose(gd); |
f7148839 |
return CL_EMEM; |
fc56deed |
} |
f7148839 |
|
fc56deed |
while((bytes = gzread(gd, buff, FILEBUFF)) > 0) { |
e3aaff8e |
size += bytes;
if(limits) |
fc56deed |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
2b259453 |
cli_dbgmsg("GZip: Size exceeded (stopped at %ld, max: %ld)\n", size, limits->maxfilesize); |
985d9958 |
if(BLOCKMAX) {
*virname = "GZip.ExceededFileSize";
ret = CL_VIRUS;
} |
e3aaff8e |
break;
}
|
4152ad50 |
if(cli_writen(fd, buff, bytes) != bytes) { |
2b259453 |
cli_dbgmsg("GZip: Can't write to file.\n"); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
gzclose(gd); |
f7148839 |
free(buff); |
e3aaff8e |
return CL_EGZIP;
}
}
|
f7148839 |
free(buff); |
e3aaff8e |
gzclose(gd); |
985d9958 |
if(ret == CL_VIRUS) {
fclose(tmp);
return ret;
}
|
e3aaff8e |
if(fsync(fd) == -1) { |
2b259453 |
cli_dbgmsg("GZip: Can't synchronise descriptor %d\n", fd); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
22275b15 |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
2b259453 |
cli_dbgmsg("GZip: Infected with %s\n", *virname); |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return CL_VIRUS;
} |
cdb0ae9c |
fclose(tmp); |
e3aaff8e |
return ret;
}
#endif
#ifdef HAVE_BZLIB_H
#ifdef NOBZ2PREFIX
#define BZ2_bzReadOpen bzReadOpen
#define BZ2_bzReadClose bzReadClose
#define BZ2_bzRead bzRead
#endif
|
33f89aa5 |
static int cli_scanbzip(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{
int fd, bytes, ret = CL_CLEAN, bzerror = 0;
short memlim = 0; |
33f89aa5 |
unsigned long int size = 0; |
f7148839 |
char *buff; |
fc56deed |
FILE *fs, *tmp = NULL; |
e3aaff8e |
BZFILE *bfd;
|
9e431a95 |
if((fs = fdopen(dup(desc), "rb")) == NULL) { |
2b259453 |
cli_dbgmsg("Bzip: Can't open descriptor %d.\n", desc); |
e3aaff8e |
return CL_EBZIP;
}
if(limits)
if(limits->archivememlim)
memlim = 1;
|
68b96877 |
if((bfd = BZ2_bzReadOpen(&bzerror, fs, 0, memlim, NULL, 0)) == NULL) { |
2b259453 |
cli_dbgmsg("Bzip: Can't initialize bzip2 library (descriptor: %d).\n", desc); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EBZIP;
}
if((tmp = tmpfile()) == NULL) { |
2b259453 |
cli_dbgmsg("Bzip: Can't generate temporary file.\n"); |
e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_ETMPFILE;
}
fd = fileno(tmp);
|
9e431a95 |
if(!(buff = (char *) malloc(FILEBUFF))) { |
2b259453 |
cli_dbgmsg("Bzip: Unable to malloc %d bytes.\n", FILEBUFF); |
9e431a95 |
fclose(tmp);
fclose(fs);
BZ2_bzReadClose(&bzerror, bfd); |
f7148839 |
return CL_EMEM; |
9e431a95 |
} |
f7148839 |
|
fc56deed |
while((bytes = BZ2_bzRead(&bzerror, bfd, buff, FILEBUFF)) > 0) { |
e3aaff8e |
size += bytes;
if(limits) |
fc56deed |
if(limits->maxfilesize && (size + FILEBUFF > limits->maxfilesize)) { |
2b259453 |
cli_dbgmsg("Bzip: Size exceeded (stopped at %ld, max: %ld)\n", size, limits->maxfilesize); |
985d9958 |
if(BLOCKMAX) {
*virname = "BZip.ExceededFileSize";
ret = CL_VIRUS;
} |
e3aaff8e |
break;
}
|
4152ad50 |
if(cli_writen(fd, buff, bytes) != bytes) { |
2b259453 |
cli_dbgmsg("Bzip: Can't write to file.\n"); |
e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
cdb0ae9c |
fclose(tmp); |
f7148839 |
free(buff); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EGZIP;
}
}
|
f7148839 |
free(buff); |
e3aaff8e |
BZ2_bzReadClose(&bzerror, bfd); |
985d9958 |
if(ret == CL_VIRUS) {
fclose(tmp);
fclose(fs);
return ret;
}
|
e3aaff8e |
if(fsync(fd) == -1) { |
2b259453 |
cli_dbgmsg("Bzip: Synchronisation failed for descriptor %d\n", fd); |
cdb0ae9c |
fclose(tmp); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return CL_EFSYNC;
}
lseek(fd, 0, SEEK_SET); |
22275b15 |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS ) { |
2b259453 |
cli_dbgmsg("Bzip: Infected with %s\n", *virname); |
e3aaff8e |
} |
cdb0ae9c |
fclose(tmp); |
9e431a95 |
fclose(fs); |
e3aaff8e |
return ret;
}
#endif
|
33f89aa5 |
static int cli_scanszdd(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
341e5433 |
{
int fd, ret = CL_CLEAN;
FILE *tmp = NULL, *in;
|
2b259453 |
|
341e5433 |
cli_dbgmsg("in cli_scanmscomp()\n");
if((in = fdopen(dup(desc), "rb")) == NULL) { |
2b259453 |
cli_dbgmsg("SZDD: Can't open descriptor %d\n", desc); |
341e5433 |
return CL_EMSCOMP;
}
if((tmp = tmpfile()) == NULL) { |
2b259453 |
cli_dbgmsg("SZDD: Can't generate temporary file.\n"); |
341e5433 |
fclose(in);
return CL_ETMPFILE;
}
if(cli_msexpand(in, tmp) == -1) { |
2b259453 |
cli_dbgmsg("SZDD: msexpand failed.\n"); |
341e5433 |
return CL_EMSCOMP;
}
fclose(in);
if(fflush(tmp)) { |
2b259453 |
cli_dbgmsg("SZDD: fflush() failed.\n"); |
341e5433 |
fclose(tmp);
return CL_EFSYNC;
}
fd = fileno(tmp);
lseek(fd, 0, SEEK_SET); |
22275b15 |
if((ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec)) == CL_VIRUS) { |
2b259453 |
cli_dbgmsg("SZDD: Infected with %s\n", *virname); |
341e5433 |
fclose(tmp);
return CL_VIRUS;
}
fclose(tmp);
return ret;
}
|
33f89aa5 |
static int cli_scanmscab(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
414abe87 |
{
struct mscab_decompressor *cabd = NULL;
struct mscabd_cabinet *base, *cab;
struct mscabd_file *file;
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanmscab()\n");
if((cabd = mspack_create_cab_decompressor(NULL)) == NULL) { |
2b259453 |
cli_dbgmsg("MSCAB: Can't create libmspack CAB decompressor\n"); |
414abe87 |
return CL_EMSCAB;
}
|
0c9d7f15 |
if((base = cabd->dsearch(cabd, dup(desc))) == NULL) { |
2b259453 |
cli_dbgmsg("MSCAB: I/O error or no valid cabinets found\n"); |
414abe87 |
mspack_destroy_cab_decompressor(cabd);
return CL_EMSCAB;
}
for(cab = base; cab; cab = cab->next) {
for(file = cab->files; file; file = file->next) { |
52ab3176 |
if(limits && limits->maxfilesize && (file->length > (unsigned int) limits->maxfilesize)) {
cli_dbgmsg("MSCAB: %s: Size exceeded (%u, max: %lu)\n", file->filename, file->length, limits->maxfilesize);
if(BLOCKMAX) {
*virname = "MSCAB.ExceededFileSize";
cabd->close(cabd, base);
mspack_destroy_cab_decompressor(cabd);
return CL_VIRUS;
}
continue;
}
|
0c7019c5 |
tempname = cli_gentemp(NULL); |
2b259453 |
cli_dbgmsg("MSCAB: Extracting data to %s\n", tempname); |
414abe87 |
if(cabd->extract(cabd, file, tempname)) { |
2b259453 |
cli_dbgmsg("MSCAB: libmscab error code: %d\n", cabd->last_error(cabd)); |
414abe87 |
} else { |
22275b15 |
ret = cli_scanfile(tempname, virname, scanned, root, limits, options, arec, mrec); |
414abe87 |
}
if(!cli_leavetemps_flag)
unlink(tempname);
free(tempname);
if(ret == CL_VIRUS)
break;
}
if(ret == CL_VIRUS)
break;
}
cabd->close(cabd, base);
mspack_destroy_cab_decompressor(cabd);
return ret;
}
|
33f89aa5 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
47bbbc56 |
{ |
467f8b1e |
DIR *dd;
struct dirent *dent; |
72a1b240 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
88794204 |
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result; |
2bb229f6 |
#endif |
467f8b1e |
struct stat statbuf;
char *fname; |
47bbbc56 |
|
467f8b1e |
if((dd = opendir(dirname)) != NULL) { |
72a1b240 |
#ifdef HAVE_READDIR_R_3 |
88794204 |
while(!readdir_r(dd, &result.d, &dent) && dent) { |
72a1b240 |
#elif defined(HAVE_READDIR_R_2) |
88794204 |
while((dent = (struct dirent *) readdir_r(dd, &result.d))) { |
72a1b240 |
#else |
467f8b1e |
while((dent = readdir(dd))) { |
72a1b240 |
#endif |
feeaa333 |
#ifndef C_INTERIX
if(dent->d_ino)
#endif
{ |
467f8b1e |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name); |
47bbbc56 |
|
467f8b1e |
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) { |
22275b15 |
if (cli_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
467f8b1e |
free(fname);
closedir(dd);
return CL_VIRUS;
}
} else
if(S_ISREG(statbuf.st_mode)) |
22275b15 |
if(cli_scanfile(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
467f8b1e |
free(fname);
closedir(dd);
return CL_VIRUS;
} |
47bbbc56 |
|
bbb90786 |
} |
467f8b1e |
free(fname); |
47bbbc56 |
}
}
} |
467f8b1e |
} else { |
2b259453 |
cli_dbgmsg("ScanDir: Can't open directory %s.\n", dirname); |
467f8b1e |
return CL_EOPEN;
} |
47bbbc56 |
|
467f8b1e |
closedir(dd);
return 0; |
47bbbc56 |
} |
467f8b1e |
|
33f89aa5 |
static int cli_vba_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{ |
892d2f56 |
int ret = CL_CLEAN, i, fd, ofd, data_len; |
467f8b1e |
vba_project_t *vba_project; |
e3aaff8e |
DIR *dd;
struct dirent *dent; |
72a1b240 |
#if defined(HAVE_READDIR_R_3) || defined(HAVE_READDIR_R_2) |
88794204 |
union {
struct dirent d;
char b[offsetof(struct dirent, d_name) + NAME_MAX + 1];
} result; |
2bb229f6 |
#endif |
e3aaff8e |
struct stat statbuf; |
56bfccb2 |
char *fname, *fullname; |
467f8b1e |
unsigned char *data;
|
2b259453 |
cli_dbgmsg("VBADir: %s\n", dirname); |
467f8b1e |
if((vba_project = (vba_project_t *) vba56_dir_read(dirname))) { |
e3aaff8e |
|
467f8b1e |
for(i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open(fullname, O_RDONLY);
if(fd == -1) { |
2b259453 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
467f8b1e |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
2b259453 |
cli_dbgmsg("VBADir: Decompress VBA project '%s'\n", vba_project->name[i]); |
467f8b1e |
data = (unsigned char *) vba_decompress(fd, vba_project->offset[i], &data_len);
close(fd);
if(!data) { |
2b259453 |
cli_dbgmsg("VBADir: WARNING: VBA project '%s' decompressed to NULL\n", vba_project->name[i]); |
467f8b1e |
} else { |
cedc2d2a |
if(scanned)
*scanned += data_len / CL_COUNT_PRECISION;
|
7ec67e94 |
if(cli_scanbuff(data, data_len, virname, root, CL_TYPE_MSOLE2) == CL_VIRUS) { |
467f8b1e |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project); |
c240c32c |
} else if ((fullname = ppt_vba_read(dirname))) { |
22275b15 |
if(cli_scandir(fullname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
c240c32c |
ret = CL_VIRUS;
} |
8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(fullname); |
c240c32c |
free(fullname); |
2e53806b |
} else if ((vba_project = (vba_project_t *) wm_dir_read(dirname))) {
for (i = 0; i < vba_project->count; i++) {
fullname = (char *) cli_malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);
sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);
fd = open(fullname, O_RDONLY);
if(fd == -1) { |
2b259453 |
cli_dbgmsg("VBADir: Can't open file %s\n", fullname); |
2e53806b |
free(fullname);
ret = CL_EOPEN;
break;
}
free(fullname); |
2b259453 |
cli_dbgmsg("VBADir: Decompress WM project '%s' macro:%d key:%d\n", vba_project->name[i], i, vba_project->key[i]); |
2e53806b |
data = (unsigned char *) wm_decrypt_macro(fd, vba_project->offset[i], vba_project->length[i], vba_project->key[i]);
close(fd);
if(!data) { |
2b259453 |
cli_dbgmsg("VBADir: WARNING: WM project '%s' macro %d decrypted to NULL\n", vba_project->name[i], i); |
2e53806b |
} else { |
cedc2d2a |
if(scanned)
*scanned += vba_project->length[i] / CL_COUNT_PRECISION; |
7ec67e94 |
if(cli_scanbuff(data, vba_project->length[i], virname, root, CL_TYPE_MSOLE2) == CL_VIRUS) { |
2e53806b |
free(data);
ret = CL_VIRUS;
break;
}
free(data);
}
}
for(i = 0; i < vba_project->count; i++)
free(vba_project->name[i]);
free(vba_project->key);
free(vba_project->length);
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project); |
467f8b1e |
} |
2e53806b |
|
467f8b1e |
if(ret != CL_CLEAN)
return ret; |
e3aaff8e |
|
892d2f56 |
/* Check directory for embedded OLE objects */
fullname = (char *) cli_malloc(strlen(dirname) + 16);
sprintf(fullname, "%s/_1_Ole10Native", dirname);
fd = open(fullname, O_RDONLY);
free(fullname);
if (fd >= 0) {
ofd = cli_decode_ole_object(fd, dirname);
if (ofd >= 0) {
ret = cli_scandesc(ofd, virname, scanned, root, 0, 0);
close(ofd);
}
close(fd);
if(ret != CL_CLEAN)
return ret;
}
|
e3aaff8e |
if((dd = opendir(dirname)) != NULL) { |
72a1b240 |
#ifdef HAVE_READDIR_R_3 |
88794204 |
while(!readdir_r(dd, &result.d, &dent) && dent) { |
72a1b240 |
#elif defined(HAVE_READDIR_R_2) |
88794204 |
while((dent = (struct dirent *) readdir_r(dd, &result.d))) { |
72a1b240 |
#else |
e3aaff8e |
while((dent = readdir(dd))) { |
72a1b240 |
#endif |
feeaa333 |
#ifndef C_INTERIX
if(dent->d_ino)
#endif
{ |
e3aaff8e |
if(strcmp(dent->d_name, ".") && strcmp(dent->d_name, "..")) {
/* build the full name */
fname = cli_calloc(strlen(dirname) + strlen(dent->d_name) + 2, sizeof(char));
sprintf(fname, "%s/%s", dirname, dent->d_name);
/* stat the file */
if(lstat(fname, &statbuf) != -1) {
if(S_ISDIR(statbuf.st_mode) && !S_ISLNK(statbuf.st_mode)) |
22275b15 |
if (cli_vba_scandir(fname, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
467f8b1e |
ret = CL_VIRUS;
free(fname);
break;
} |
e3aaff8e |
}
free(fname);
}
}
}
} else { |
2b259453 |
cli_dbgmsg("VBADir: Can't open directory %s.\n", dirname); |
e3aaff8e |
return CL_EOPEN;
}
closedir(dd); |
467f8b1e |
return ret;
}
|
33f89aa5 |
static int cli_scanhtml(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
a92110df |
{
char *tempname, fullname[1024];
int ret=CL_CLEAN, fd;
cli_dbgmsg("in cli_scanhtml()\n");
tempname = cli_gentemp(NULL);
if(mkdir(tempname, 0700)) {
cli_dbgmsg("ScanHTML -> Can't create temporary directory %s\n", tempname); |
f0bc32bd |
free(tempname); |
a92110df |
return CL_ETMPDIR;
}
html_normalise_fd(desc, tempname, NULL);
snprintf(fullname, 1024, "%s/comment.html", tempname);
fd = open(fullname, O_RDONLY);
if (fd >= 0) {
ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
close(fd);
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/nocomment.html", tempname);
fd = open(fullname, O_RDONLY);
if (fd >= 0) {
ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
close(fd);
}
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/script.html", tempname);
fd = open(fullname, O_RDONLY);
if (fd >= 0) {
ret = cli_scandesc(fd, virname, scanned, root, 0, CL_TYPE_HTML);
close(fd);
}
}
if(ret < 0 || ret == CL_VIRUS) {
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
if (ret == CL_CLEAN) {
snprintf(fullname, 1024, "%s/rfc2397", tempname);
ret = cli_scandir(fullname, virname, scanned, root, limits, options, arec, mrec);
}
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
33f89aa5 |
static int cli_scanole2(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
467f8b1e |
{ |
56bfccb2 |
char *dir;
int ret = CL_CLEAN; |
467f8b1e |
|
2b259453 |
|
467f8b1e |
cli_dbgmsg("in cli_scanole2()\n");
/* generate the temporary directory */ |
0c7019c5 |
dir = cli_gentemp(NULL); |
467f8b1e |
if(mkdir(dir, 0700)) { |
2b259453 |
cli_dbgmsg("OLE2: Can't create temporary directory %s\n", dir); |
f0bc32bd |
free(dir); |
467f8b1e |
return CL_ETMPDIR;
}
|
e5a5b2f2 |
if((ret = cli_ole2_extract(desc, dir, limits))) { |
2b259453 |
cli_dbgmsg("OLE2: %s\n", cl_strerror(ret)); |
8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
467f8b1e |
free(dir);
return ret;
}
|
22275b15 |
if((ret = cli_vba_scandir(dir, virname, scanned, root, limits, options, arec, mrec)) != CL_VIRUS) {
if(cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) { |
56bfccb2 |
ret = CL_VIRUS; |
467f8b1e |
}
}
|
8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
467f8b1e |
free(dir);
return ret; |
e3aaff8e |
}
|
a7f5fd00 |
static int cli_scantar(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec, unsigned int posix) |
2b259453 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scantar()\n");
/* generate temporary directory */ |
0c7019c5 |
dir = cli_gentemp(NULL); |
2b259453 |
if(mkdir(dir, 0700)) {
cli_errmsg("Tar: Can't create temporary directory %s\n", dir); |
f0bc32bd |
free(dir); |
2b259453 |
return CL_ETMPDIR;
}
|
a7f5fd00 |
if((ret = cli_untar(dir, desc, posix))) |
2b259453 |
cli_dbgmsg("Tar: %s\n", cl_strerror(ret));
else
ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
33f89aa5 |
static int cli_scanbinhex(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
667ab9c6 |
{
char *dir;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanbinhex()\n");
/* generate temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_errmsg("Binhex: Can't create temporary directory %s\n", dir); |
f0bc32bd |
free(dir); |
667ab9c6 |
return CL_ETMPDIR;
}
if((ret = cli_binhex(dir, desc)))
cli_dbgmsg("Binhex: %s\n", cl_strerror(ret));
else
ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
33f89aa5 |
static int cli_scanmschm(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
a5373b64 |
{
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanmschm()\n");
|
0c7019c5 |
tempname = cli_gentemp(NULL); |
a5373b64 |
if(mkdir(tempname, 0700)) { |
2b259453 |
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); |
f0bc32bd |
free(tempname); |
a5373b64 |
return CL_ETMPDIR;
}
if(chm_unpack(desc, tempname))
ret = cli_scandir(tempname, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
}
|
33f89aa5 |
static int cli_scanscrenc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e57fa318 |
{
char *tempname;
int ret = CL_CLEAN;
cli_dbgmsg("in cli_scanscrenc()\n");
|
0c7019c5 |
tempname = cli_gentemp(NULL); |
e57fa318 |
if(mkdir(tempname, 0700)) {
cli_dbgmsg("CHM: Can't create temporary directory %s\n", tempname); |
f0bc32bd |
free(tempname); |
e57fa318 |
return CL_ETMPDIR;
}
if (html_screnc_decode(desc, tempname))
ret = cli_scandir(tempname, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(tempname);
free(tempname);
return ret;
} |
015e31e1 |
|
33f89aa5 |
static int cli_scanriff(int desc, const char **virname) |
eb308794 |
{
int ret = CL_CLEAN;
if(cli_check_riff_exploit(desc) == 2) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS05-002";
}
return ret;
}
|
7afdc309 |
static int cli_scanjpeg(int desc, const char **virname)
{
int ret = CL_CLEAN;
if(cli_check_jpeg_exploit(desc) == 1) {
ret = CL_VIRUS;
*virname = "Exploit.W32.MS04-028";
}
return ret;
}
|
f0bc32bd |
static int cli_scantnef(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec)
{
int ret;
char *dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Can't create temporary directory for tnef file %s\n", dir);
free(dir);
return CL_ETMPDIR;
}
ret = cli_tnef(dir, desc);
if(ret == CL_CLEAN)
ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret;
}
|
33f89aa5 |
static int cli_scanmail(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{
char *dir;
int ret;
|
33f89aa5 |
cli_dbgmsg("Starting cli_scanmail(), mrec == %d, arec == %d\n", mrec, arec); |
e3aaff8e |
|
0c7019c5 |
/* generate the temporary directory */
dir = cli_gentemp(NULL);
if(mkdir(dir, 0700)) {
cli_dbgmsg("Mail: Can't create temporary directory %s\n", dir);
free(dir);
return CL_ETMPDIR;
} |
e3aaff8e |
|
0c7019c5 |
/*
* Extract the attachments into the temporary directory
*/
if((ret = cli_mbox(dir, desc, options))) { |
8d5e0ac0 |
if(!cli_leavetemps_flag)
cli_rmdirs(dir); |
e3aaff8e |
free(dir);
return ret; |
0c7019c5 |
}
ret = cli_scandir(dir, virname, scanned, root, limits, options, arec, mrec);
if(!cli_leavetemps_flag)
cli_rmdirs(dir);
free(dir);
return ret; |
e3aaff8e |
}
|
33f89aa5 |
int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
e3aaff8e |
{ |
888f5794 |
int ret = CL_CLEAN, nret; |
cdb0ae9c |
int bread = 0; |
9b8e00a0 |
cli_file_t type; |
a7f5fd00 |
struct stat sb;
if(fstat(desc, &sb) == -1) {
cli_errmsg("Can's fstat descriptor %d\n", desc);
return CL_EIO;
} |
e3aaff8e |
|
a7f5fd00 |
if(sb.st_size <= 5) {
cli_dbgmsg("Small data (%d bytes)\n", sb.st_size);
return CL_CLEAN;
} |
e3aaff8e |
if(!root) { |
414abe87 |
cli_errmsg("CRITICAL: root == NULL\n"); |
322bfd03 |
return CL_EMALFDB; |
e3aaff8e |
}
|
d6b5ae47 |
if(!options) { /* raw mode (stdin, etc.) */ |
b68d11d2 |
cli_dbgmsg("Raw mode: No support for special files\n");
if((ret = cli_scandesc(desc, virname, scanned, root, 0, 0) == CL_VIRUS)) |
2b259453 |
cli_dbgmsg("%s found in descriptor %d\n", *virname, desc); |
d6b5ae47 |
return ret;
}
|
467f8b1e |
if(SCAN_ARCHIVE && limits && limits->maxreclevel) |
33f89aa5 |
if(arec > limits->maxreclevel) {
cli_dbgmsg("Archive recursion limit exceeded (arec == %d).\n", arec); |
031555fe |
if(BLOCKMAX) {
*virname = "Archive.ExceededRecursionLimit";
return CL_VIRUS;
} |
467f8b1e |
return CL_CLEAN; |
22275b15 |
} |
e3aaff8e |
|
22275b15 |
if(SCAN_MAIL) |
33f89aa5 |
if(mrec > MAX_MAIL_RECURSION) {
cli_dbgmsg("Mail recursion level exceeded (mrec == %d).\n", mrec); |
22275b15 |
/* return CL_EMAXREC; */
return CL_CLEAN;
} |
e3aaff8e |
|
467f8b1e |
lseek(desc, 0, SEEK_SET); |
a7f5fd00 |
type = cli_filetype2(desc); |
2b259453 |
lseek(desc, 0, SEEK_SET); |
6d6e8271 |
|
33f89aa5 |
type == CL_TYPE_MAIL ? mrec++ : arec++; |
888f5794 |
|
467f8b1e |
switch(type) { |
3805ebcb |
case CL_TYPE_RAR: |
478ce4b2 |
if(!DISABLE_RAR && SCAN_ARCHIVE) |
22275b15 |
ret = cli_scanrar(desc, virname, scanned, root, limits, options, arec, mrec); |
467f8b1e |
break; |
6d6e8271 |
|
3805ebcb |
case CL_TYPE_ZIP: |
467f8b1e |
if(SCAN_ARCHIVE) |
22275b15 |
ret = cli_scanzip(desc, virname, scanned, root, limits, options, arec, mrec); |
467f8b1e |
break; |
6d6e8271 |
|
3805ebcb |
case CL_TYPE_GZ: |
467f8b1e |
if(SCAN_ARCHIVE) |
22275b15 |
ret = cli_scangzip(desc, virname, scanned, root, limits, options, arec, mrec); |
467f8b1e |
break; |
6d6e8271 |
|
3805ebcb |
case CL_TYPE_BZ: |
68a6f51f |
#ifdef HAVE_BZLIB_H |
467f8b1e |
if(SCAN_ARCHIVE) |
22275b15 |
ret = cli_scanbzip(desc, virname, scanned, root, limits, options, arec, mrec); |
e3aaff8e |
#endif |
467f8b1e |
break; |
6d6e8271 |
|
3805ebcb |
case CL_TYPE_MSSZDD: |
341e5433 |
if(SCAN_ARCHIVE) |
3805ebcb |
ret = cli_scanszdd(desc, virname, scanned, root, limits, options, arec, mrec); |
341e5433 |
break;
|
3805ebcb |
case CL_TYPE_MSCAB: |
414abe87 |
if(SCAN_ARCHIVE) |
22275b15 |
ret = cli_scanmscab(desc, virname, scanned, root, limits, options, arec, mrec); |
414abe87 |
break;
|
3805ebcb |
case CL_TYPE_MAIL: |
467f8b1e |
if(SCAN_MAIL) |
22275b15 |
ret = cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec); |
467f8b1e |
break; |
6d6e8271 |
|
846e4186 |
case CL_TYPE_TNEF:
if(SCAN_MAIL)
ret = cli_scantnef(desc, virname, scanned, root, limits, options, arec, mrec);
break;
|
3805ebcb |
case CL_TYPE_MSCHM: |
a5373b64 |
if(SCAN_ARCHIVE)
ret = cli_scanmschm(desc, virname, scanned, root, limits, options, arec, mrec);
break;
|
3805ebcb |
case CL_TYPE_MSOLE2: |
467f8b1e |
if(SCAN_OLE2) |
22275b15 |
ret = cli_scanole2(desc, virname, scanned, root, limits, options, arec, mrec); |
467f8b1e |
break; |
6d6e8271 |
|
a7f5fd00 |
case CL_TYPE_POSIX_TAR:
if(SCAN_ARCHIVE)
ret = cli_scantar(desc, virname, scanned, root, limits, options, arec, mrec, 1);
break;
case CL_TYPE_OLD_TAR: |
2b259453 |
if(SCAN_ARCHIVE) |
a7f5fd00 |
ret = cli_scantar(desc, virname, scanned, root, limits, options, arec, mrec, 0); |
667ab9c6 |
break;
case CL_TYPE_BINHEX:
if(SCAN_ARCHIVE)
ret = cli_scanbinhex(desc, virname, scanned, root, limits, options, arec, mrec); |
2b259453 |
break;
|
3805ebcb |
case CL_TYPE_SCRENC: |
e57fa318 |
ret = cli_scanscrenc(desc, virname, scanned, root, limits, options, arec, mrec); |
eb308794 |
break;
case CL_TYPE_RIFF: |
33f89aa5 |
ret = cli_scanriff(desc, virname); |
e57fa318 |
break;
|
7afdc309 |
case CL_TYPE_GRAPHICS:
ret = cli_scanjpeg(desc, virname);
break;
|
3805ebcb |
case CL_TYPE_DATA: |
467f8b1e |
/* it could be a false positive and a standard DOS .COM file */
{
struct stat s;
if(fstat(desc, &s) == 0 && S_ISREG(s.st_mode) && s.st_size < 65536) |
3805ebcb |
type = CL_TYPE_UNKNOWN_DATA; |
467f8b1e |
}
|
3805ebcb |
case CL_TYPE_UNKNOWN_DATA: |
c3a3be2d |
ret = cli_check_mydoom_log(desc, virname); |
467f8b1e |
break; |
216a697f |
default:
break; |
e3aaff8e |
}
|
33f89aa5 |
type == CL_TYPE_MAIL ? mrec-- : arec--; |
467f8b1e |
|
3805ebcb |
if(type != CL_TYPE_DATA && ret != CL_VIRUS) { /* scan the raw file */ |
77e4bb11 |
int typerec; |
888f5794 |
|
3805ebcb |
type == CL_TYPE_UNKNOWN_TEXT ? (typerec = 1) : (typerec = 0); |
0c9d7f15 |
if(lseek(desc, 0, SEEK_SET) < 0)
cli_errmsg("lseek() failed, trying to continue anyway...\n"); |
22275b15 |
|
b68d11d2 |
if((nret = cli_scandesc(desc, virname, scanned, root, typerec, type)) == CL_VIRUS) { |
2b259453 |
cli_dbgmsg("%s found in descriptor %d.\n", *virname, desc); |
e3aaff8e |
return CL_VIRUS; |
888f5794 |
|
3862f7e1 |
} else if(nret < 0) {
return nret;
|
888f5794 |
} else if(nret >= CL_TYPENO) {
lseek(desc, 0, SEEK_SET);
|
33f89aa5 |
nret == CL_TYPE_MAIL ? mrec++ : arec++; |
888f5794 |
switch(nret) { |
3805ebcb |
case CL_TYPE_HTML: |
888f5794 |
if(SCAN_HTML) |
22275b15 |
if(cli_scanhtml(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) |
888f5794 |
return CL_VIRUS;
break; |
ece009c0 |
|
3805ebcb |
case CL_TYPE_MAIL: |
ece009c0 |
if(SCAN_MAIL) |
22275b15 |
if(cli_scanmail(desc, virname, scanned, root, limits, options, arec, mrec) == CL_VIRUS) |
ece009c0 |
return CL_VIRUS;
break; |
888f5794 |
} |
33f89aa5 |
nret == CL_TYPE_MAIL ? mrec-- : arec--; |
e3aaff8e |
} |
46c2e927 |
} |
e3aaff8e |
|
33f89aa5 |
arec++; |
77e4bb11 |
lseek(desc, 0, SEEK_SET);
switch(type) {
/* Due to performance reasons all executables were first scanned
* in raw mode. Now we will try to unpack them
*/ |
3805ebcb |
case CL_TYPE_MSEXE: |
77e4bb11 |
if(SCAN_PE)
ret = cli_scanpe(desc, virname, scanned, root, limits, options, arec, mrec);
break; |
8000d078 |
default:
break; |
77e4bb11 |
} |
33f89aa5 |
arec--; |
77e4bb11 |
|
322bfd03 |
if(ret == CL_EFORMAT) { |
6ee0243f |
cli_dbgmsg("Descriptor[%d]: %s\n", desc, cl_strerror(CL_EFORMAT)); |
322bfd03 |
return CL_CLEAN;
} else {
return ret;
} |
e3aaff8e |
}
|
3805ebcb |
int cl_scandesc(int desc, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options) |
e3aaff8e |
{ |
33f89aa5 |
return cli_magic_scandesc(desc, virname, scanned, root, limits, options, 0, 0); |
e3aaff8e |
}
|
33f89aa5 |
static int cli_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, unsigned int arec, unsigned int mrec) |
21cf4aeb |
{
int fd, ret;
|
a9082ea2 |
|
22275b15 |
/* internal version of cl_scanfile with arec/mrec preserved */ |
21cf4aeb |
if((fd = open(filename, O_RDONLY)) == -1)
return CL_EOPEN;
|
22275b15 |
ret = cli_magic_scandesc(fd, virname, scanned, root, limits, options, arec, mrec); |
21cf4aeb |
close(fd);
return ret;
}
|
3805ebcb |
int cl_scanfile(const char *filename, const char **virname, unsigned long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options) |
e3aaff8e |
{
int fd, ret;
|
ece009c0 |
|
e3aaff8e |
if((fd = open(filename, O_RDONLY)) == -1)
return CL_EOPEN;
ret = cl_scandesc(fd, virname, scanned, root, limits, options);
close(fd);
return ret;
} |