git-svn-id: file:///var/lib/svn/clamav-devel/trunk/clamav-devel@949 77e5149b-7576-45b1-b177-96237e5ba77b
Tomasz Kojm authored on 2004/09/30 09:26:52... | ... |
@@ -1,3 +1,9 @@ |
1 |
+Thu Sep 30 02:19:12 CEST 2004 (tk) |
|
2 |
+---------------------------------- |
|
3 |
+ * libclamav/special.c: add cli_check_jpeg_exploit (by Trog) |
|
4 |
+ * libclamav/matcher.c: add additional check to eliminate false positive |
|
5 |
+ matches of Exploit.JPEG.Comment |
|
6 |
+ |
|
1 | 7 |
Tue Sep 28 19:41:39 BST 2004 (njh) |
2 | 8 |
---------------------------------- |
3 | 9 |
* libclamav: Some small speed and size optimisations in MIME decoding |
... | ... |
@@ -79,7 +79,8 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \ |
79 | 79 |
blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo table.lo \ |
80 | 80 |
text.lo ole2_extract.lo vba_extract.lo msexpand.lo pe.lo \ |
81 | 81 |
cabd.lo lzxd.lo mszipd.lo qtmd.lo system.lo upx.lo htmlnorm.lo \ |
82 |
- chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo |
|
82 |
+ chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo \ |
|
83 |
+ special.lo |
|
83 | 84 |
libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS) |
84 | 85 |
DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir) |
85 | 86 |
depcomp = $(SHELL) $(top_srcdir)/depcomp |
... | ... |
@@ -99,11 +100,12 @@ am__depfiles_maybe = depfiles |
99 | 99 |
@AMDEP_TRUE@ ./$(DEPDIR)/petite.Plo ./$(DEPDIR)/qtmd.Plo \ |
100 | 100 |
@AMDEP_TRUE@ ./$(DEPDIR)/readdb.Plo ./$(DEPDIR)/rebuildpe.Plo \ |
101 | 101 |
@AMDEP_TRUE@ ./$(DEPDIR)/scanners.Plo ./$(DEPDIR)/snprintf.Plo \ |
102 |
-@AMDEP_TRUE@ ./$(DEPDIR)/str.Plo ./$(DEPDIR)/strc.Plo \ |
|
103 |
-@AMDEP_TRUE@ ./$(DEPDIR)/strrcpy.Plo ./$(DEPDIR)/system.Plo \ |
|
104 |
-@AMDEP_TRUE@ ./$(DEPDIR)/table.Plo ./$(DEPDIR)/text.Plo \ |
|
105 |
-@AMDEP_TRUE@ ./$(DEPDIR)/unrarlib.Plo ./$(DEPDIR)/untar.Plo \ |
|
106 |
-@AMDEP_TRUE@ ./$(DEPDIR)/upx.Plo ./$(DEPDIR)/vba_extract.Plo \ |
|
102 |
+@AMDEP_TRUE@ ./$(DEPDIR)/special.Plo ./$(DEPDIR)/str.Plo \ |
|
103 |
+@AMDEP_TRUE@ ./$(DEPDIR)/strc.Plo ./$(DEPDIR)/strrcpy.Plo \ |
|
104 |
+@AMDEP_TRUE@ ./$(DEPDIR)/system.Plo ./$(DEPDIR)/table.Plo \ |
|
105 |
+@AMDEP_TRUE@ ./$(DEPDIR)/text.Plo ./$(DEPDIR)/unrarlib.Plo \ |
|
106 |
+@AMDEP_TRUE@ ./$(DEPDIR)/untar.Plo ./$(DEPDIR)/upx.Plo \ |
|
107 |
+@AMDEP_TRUE@ ./$(DEPDIR)/vba_extract.Plo \ |
|
107 | 108 |
@AMDEP_TRUE@ ./$(DEPDIR)/zzip-dir.Plo ./$(DEPDIR)/zzip-err.Plo \ |
108 | 109 |
@AMDEP_TRUE@ ./$(DEPDIR)/zzip-file.Plo \ |
109 | 110 |
@AMDEP_TRUE@ ./$(DEPDIR)/zzip-info.Plo ./$(DEPDIR)/zzip-io.Plo \ |
... | ... |
@@ -326,7 +328,9 @@ libclamav_la_SOURCES = \ |
326 | 326 |
line.c \ |
327 | 327 |
line.h \ |
328 | 328 |
untar.c \ |
329 |
- untar.h |
|
329 |
+ untar.h \ |
|
330 |
+ special.c \ |
|
331 |
+ special.h |
|
330 | 332 |
|
331 | 333 |
lib_LTLIBRARIES = libclamav.la |
332 | 334 |
all: all-am |
... | ... |
@@ -425,6 +429,7 @@ distclean-compile: |
425 | 425 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuildpe.Plo@am__quote@ |
426 | 426 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scanners.Plo@am__quote@ |
427 | 427 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snprintf.Plo@am__quote@ |
428 |
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/special.Plo@am__quote@ |
|
428 | 429 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Plo@am__quote@ |
429 | 430 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strc.Plo@am__quote@ |
430 | 431 |
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strrcpy.Plo@am__quote@ |
... | ... |
@@ -34,6 +34,7 @@ |
34 | 34 |
#include "filetypes.h" |
35 | 35 |
#include "matcher.h" |
36 | 36 |
#include "pe.h" |
37 |
+#include "special.h" |
|
37 | 38 |
|
38 | 39 |
#define MD5_BLOCKSIZE 4096 |
39 | 40 |
|
... | ... |
@@ -176,6 +177,22 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off |
176 | 176 |
} |
177 | 177 |
} |
178 | 178 |
|
179 |
+ if(ftype == CL_TYPE_GRAPHICS && virname && !strcmp(virname, "Exploit.JPEG.Comment")) { |
|
180 |
+ int old; |
|
181 |
+ |
|
182 |
+ if((old = lseek(desc, 0, SEEK_CUR)) == -1) { |
|
183 |
+ cli_dbgmsg("Invalid descriptor\n"); |
|
184 |
+ return 0; |
|
185 |
+ } |
|
186 |
+ lseek(desc, 0, SEEK_SET); |
|
187 |
+ if(cli_check_jpeg_exploit(desc) != 1) { |
|
188 |
+ cli_dbgmsg("Eliminated false positive match of Exploit.JPEG.Comment\n"); |
|
189 |
+ lseek(desc, old, SEEK_SET); |
|
190 |
+ return 0; |
|
191 |
+ } |
|
192 |
+ lseek(desc, old, SEEK_SET); |
|
193 |
+ } |
|
194 |
+ |
|
179 | 195 |
return 1; |
180 | 196 |
} |
181 | 197 |
|
... | ... |
@@ -66,6 +66,7 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME * |
66 | 66 |
#include "filetypes.h" |
67 | 67 |
#include "htmlnorm.h" |
68 | 68 |
#include "untar.h" |
69 |
+#include "special.h" |
|
69 | 70 |
|
70 | 71 |
#ifdef HAVE_ZLIB_H |
71 | 72 |
#include <zlib.h> |
... | ... |
@@ -734,43 +735,6 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const |
734 | 734 |
return ret; |
735 | 735 |
} |
736 | 736 |
|
737 |
-static int cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec) |
|
738 |
-{ |
|
739 |
- int32_t record[8], check; |
|
740 |
- int i, retval=CL_VIRUS, j; |
|
741 |
- |
|
742 |
- cli_dbgmsg("in mydoom_log()\n"); |
|
743 |
- |
|
744 |
- /* Check upto the first five records in the file */ |
|
745 |
- for (j=0 ; j<5 ; j++) { |
|
746 |
- if (cli_readn(desc, &record, 32) != 32) { |
|
747 |
- break; |
|
748 |
- } |
|
749 |
- |
|
750 |
- /* Decode the key */ |
|
751 |
- record[0] = ~ntohl(record[0]); |
|
752 |
- cli_dbgmsg("Mydoom: key: %lu\n", record[0]); |
|
753 |
- check = 0; |
|
754 |
- for (i=1 ; i<8; i++) { |
|
755 |
- record[i] = ntohl(record[i]) ^ record[0]; |
|
756 |
- check += record[i]; |
|
757 |
- } |
|
758 |
- cli_dbgmsg("Mydoom: check: %lu\n", ~check); |
|
759 |
- if ((~check) != record[0]) { |
|
760 |
- return CL_CLEAN; |
|
761 |
- } |
|
762 |
- } |
|
763 |
- |
|
764 |
- if (j < 2) { |
|
765 |
- retval = CL_CLEAN; |
|
766 |
- } else if (retval==CL_VIRUS) { |
|
767 |
- if(virname) |
|
768 |
- *virname = "Worm.Mydoom.M.log"; |
|
769 |
- } |
|
770 |
- |
|
771 |
- return retval; |
|
772 |
-} |
|
773 |
- |
|
774 | 737 |
static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec) |
775 | 738 |
{ |
776 | 739 |
DIR *dd; |
... | ... |
@@ -1245,7 +1209,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const |
1245 | 1245 |
} |
1246 | 1246 |
|
1247 | 1247 |
case CL_TYPE_UNKNOWN_DATA: |
1248 |
- ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, arec, mrec); |
|
1248 |
+ ret = cli_check_mydoom_log(desc, virname); |
|
1249 | 1249 |
break; |
1250 | 1250 |
|
1251 | 1251 |
default: |
1252 | 1252 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,109 @@ |
0 |
+/* |
|
1 |
+ * Copyright (C) 2004 trog@uncon.org |
|
2 |
+ * |
|
3 |
+ * This program is free software; you can redistribute it and/or modify |
|
4 |
+ * it under the terms of the GNU General Public License as published by |
|
5 |
+ * the Free Software Foundation; either version 2 of the License, or |
|
6 |
+ * (at your option) any later version. |
|
7 |
+ * |
|
8 |
+ * This program is distributed in the hope that it will be useful, |
|
9 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 |
+ * GNU General Public License for more details. |
|
12 |
+ * |
|
13 |
+ * You should have received a copy of the GNU General Public License |
|
14 |
+ * along with this program; if not, write to the Free Software |
|
15 |
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|
16 |
+ */ |
|
17 |
+ |
|
18 |
+#include <sys/types.h> |
|
19 |
+#include <sys/stat.h> |
|
20 |
+#include <fcntl.h> |
|
21 |
+#include <unistd.h> |
|
22 |
+ |
|
23 |
+#include "clamav.h" |
|
24 |
+#include "others.h" |
|
25 |
+ |
|
26 |
+ |
|
27 |
+int cli_check_mydoom_log(int desc, const char **virname) |
|
28 |
+{ |
|
29 |
+ int32_t record[8], check; |
|
30 |
+ int i, retval=CL_VIRUS, j; |
|
31 |
+ |
|
32 |
+ cli_dbgmsg("in cli_check_mydoom_log()\n"); |
|
33 |
+ |
|
34 |
+ /* Check upto the first five records in the file */ |
|
35 |
+ for (j=0 ; j<5 ; j++) { |
|
36 |
+ if (cli_readn(desc, &record, 32) != 32) { |
|
37 |
+ break; |
|
38 |
+ } |
|
39 |
+ |
|
40 |
+ /* Decode the key */ |
|
41 |
+ record[0] = ~ntohl(record[0]); |
|
42 |
+ cli_dbgmsg("Mydoom: key: %lu\n", record[0]); |
|
43 |
+ check = 0; |
|
44 |
+ for (i=1 ; i<8; i++) { |
|
45 |
+ record[i] = ntohl(record[i]) ^ record[0]; |
|
46 |
+ check += record[i]; |
|
47 |
+ } |
|
48 |
+ cli_dbgmsg("Mydoom: check: %lu\n", ~check); |
|
49 |
+ if ((~check) != record[0]) { |
|
50 |
+ return CL_CLEAN; |
|
51 |
+ } |
|
52 |
+ } |
|
53 |
+ |
|
54 |
+ if (j < 2) { |
|
55 |
+ retval = CL_CLEAN; |
|
56 |
+ } else if (retval==CL_VIRUS) { |
|
57 |
+ if(virname) |
|
58 |
+ *virname = "Worm.Mydoom.M.log"; |
|
59 |
+ } |
|
60 |
+ |
|
61 |
+ return retval; |
|
62 |
+} |
|
63 |
+ |
|
64 |
+int cli_check_jpeg_exploit(int fd) |
|
65 |
+{ |
|
66 |
+ unsigned char buffer[4]; |
|
67 |
+ off_t offset; |
|
68 |
+ int retval; |
|
69 |
+ |
|
70 |
+ |
|
71 |
+ cli_dbgmsg("in cli_check_jpeg_exploit()\n"); |
|
72 |
+ |
|
73 |
+ if (cli_readn(fd, buffer, 2) != 2) { |
|
74 |
+ return 0; |
|
75 |
+ } |
|
76 |
+ |
|
77 |
+ if ((buffer[0] != 0xff) && (buffer[1] != 0xd8)) { |
|
78 |
+ return 0; |
|
79 |
+ } |
|
80 |
+ for (;;) { |
|
81 |
+ if ((retval=cli_readn(fd, buffer, 4)) != 4) { |
|
82 |
+ return 0; |
|
83 |
+ } |
|
84 |
+ if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) { |
|
85 |
+ if (buffer[2] == 0x00) { |
|
86 |
+ if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) { |
|
87 |
+ return 1; |
|
88 |
+ } |
|
89 |
+ } |
|
90 |
+ } |
|
91 |
+ if (buffer[0] != 0xff) { |
|
92 |
+ return -1; |
|
93 |
+ } |
|
94 |
+ if (buffer[1] == 0xda) { |
|
95 |
+ /* End of Image marker */ |
|
96 |
+ return 0; |
|
97 |
+ } |
|
98 |
+ offset = ((unsigned int) buffer[2] << 8) + buffer[3]; |
|
99 |
+ if (offset < 2) { |
|
100 |
+ return 2; |
|
101 |
+ } |
|
102 |
+ offset -= 2; |
|
103 |
+ offset += lseek(fd, 0, SEEK_CUR); |
|
104 |
+ if (lseek(fd, offset, SEEK_SET) != offset) { |
|
105 |
+ return -1; |
|
106 |
+ } |
|
107 |
+ } |
|
108 |
+} |
0 | 109 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,25 @@ |
0 |
+/* |
|
1 |
+ * Copyright (C) 2004 trog@uncon.org |
|
2 |
+ * |
|
3 |
+ * This program is free software; you can redistribute it and/or modify |
|
4 |
+ * it under the terms of the GNU General Public License as published by |
|
5 |
+ * the Free Software Foundation; either version 2 of the License, or |
|
6 |
+ * (at your option) any later version. |
|
7 |
+ * |
|
8 |
+ * This program is distributed in the hope that it will be useful, |
|
9 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
10 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
11 |
+ * GNU General Public License for more details. |
|
12 |
+ * |
|
13 |
+ * You should have received a copy of the GNU General Public License |
|
14 |
+ * along with this program; if not, write to the Free Software |
|
15 |
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|
16 |
+ */ |
|
17 |
+ |
|
18 |
+#ifndef __SPECIAL_H |
|
19 |
+#define __SPECIAL_H |
|
20 |
+ |
|
21 |
+int cli_check_mydoom_log(int desc, const char **virname); |
|
22 |
+int cli_check_jpeg_exploit(int fd); |
|
23 |
+ |
|
24 |
+#endif |