@@ -1,3 +1,9 @@

+Thu Sep 30 02:19:12 CEST 2004 (tk)

+----------------------------------

+  * libclamav/special.c: add cli_check_jpeg_exploit (by Trog)

+  * libclamav/matcher.c: add additional check to eliminate false positive

+			 matches of Exploit.JPEG.Comment

+

 Tue Sep 28 19:41:39 BST 2004 (njh)

 ----------------------------------

   * libclamav:		Some small speed and size optimisations in MIME decoding

@@ -116,6 +116,8 @@ libclamav_la_SOURCES = \

 	line.c \

 	line.h \

 	untar.c \

-	untar.h

+	untar.h \

+	special.c \

+	special.h

 lib_LTLIBRARIES = libclamav.la

@@ -79,7 +79,8 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \

 	blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo table.lo \

 	text.lo ole2_extract.lo vba_extract.lo msexpand.lo pe.lo \

 	cabd.lo lzxd.lo mszipd.lo qtmd.lo system.lo upx.lo htmlnorm.lo \

-	chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo

+	chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo \

+	special.lo

 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)

 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)

 depcomp = $(SHELL) $(top_srcdir)/depcomp

@@ -99,11 +100,12 @@ am__depfiles_maybe = depfiles

 @AMDEP_TRUE@	./$(DEPDIR)/petite.Plo ./$(DEPDIR)/qtmd.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/readdb.Plo ./$(DEPDIR)/rebuildpe.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/scanners.Plo ./$(DEPDIR)/snprintf.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/str.Plo ./$(DEPDIR)/strc.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/strrcpy.Plo ./$(DEPDIR)/system.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/table.Plo ./$(DEPDIR)/text.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/unrarlib.Plo ./$(DEPDIR)/untar.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/upx.Plo ./$(DEPDIR)/vba_extract.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/special.Plo ./$(DEPDIR)/str.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/strc.Plo ./$(DEPDIR)/strrcpy.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/system.Plo ./$(DEPDIR)/table.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/text.Plo ./$(DEPDIR)/unrarlib.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/untar.Plo ./$(DEPDIR)/upx.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/vba_extract.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-dir.Plo ./$(DEPDIR)/zzip-err.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-file.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-info.Plo ./$(DEPDIR)/zzip-io.Plo \

@@ -326,7 +328,9 @@ libclamav_la_SOURCES = \

 	line.c \

 	line.h \

 	untar.c \

-	untar.h

+	untar.h \

+	special.c \

+	special.h

 lib_LTLIBRARIES = libclamav.la

 all: all-am

@@ -425,6 +429,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuildpe.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scanners.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snprintf.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/special.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strc.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strrcpy.Plo@am__quote@

@@ -34,6 +34,7 @@

 #include "filetypes.h"

 #include "matcher.h"

 #include "pe.h"

+#include "special.h"

 #define MD5_BLOCKSIZE 4096

@@ -176,6 +177,22 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off

 	}

     }

+    if(ftype == CL_TYPE_GRAPHICS && virname && !strcmp(virname, "Exploit.JPEG.Comment")) {

+	    int old;

+

+	if((old = lseek(desc, 0, SEEK_CUR)) == -1) {

+	    cli_dbgmsg("Invalid descriptor\n");

+	    return 0;

+	}

+	lseek(desc, 0, SEEK_SET);

+	if(cli_check_jpeg_exploit(desc) != 1) {

+	    cli_dbgmsg("Eliminated false positive match of Exploit.JPEG.Comment\n");

+	    lseek(desc, old, SEEK_SET);

+	    return 0;

+	}

+	lseek(desc, old, SEEK_SET);

+    }

+

     return 1;

 }

@@ -66,6 +66,7 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME *

 #include "filetypes.h"

 #include "htmlnorm.h"

 #include "untar.h"

+#include "special.h"

 #ifdef HAVE_ZLIB_H

 #include <zlib.h>

@@ -734,43 +735,6 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const

     return ret;

 }

-static int  cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec)

-{

-	int32_t record[8], check;

-	int i, retval=CL_VIRUS, j;

-

-    cli_dbgmsg("in mydoom_log()\n");

-

-    /* Check upto the first five records in the file */

-    for (j=0 ; j<5 ; j++) {

-	if (cli_readn(desc, &record, 32) != 32) {

-	    break;

-	}

-

-	/* Decode the key */

-	record[0] = ~ntohl(record[0]);

-	cli_dbgmsg("Mydoom: key: %lu\n", record[0]);

-	check = 0;

-	for (i=1 ; i<8; i++) {

-	    record[i] = ntohl(record[i]) ^ record[0];

-	    check += record[i];

-	}

-	cli_dbgmsg("Mydoom: check: %lu\n", ~check);

-	if ((~check) != record[0]) {

-	    return CL_CLEAN;

-	}

-    }

-

-    if (j < 2) {

-	retval = CL_CLEAN;

-    } else if (retval==CL_VIRUS) {

-	if(virname)

-	    *virname = "Worm.Mydoom.M.log";

-    }

-

-    return retval;

-}

-

 static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec)

 {

 	DIR *dd;

@@ -1245,7 +1209,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const

 	    }

 	case CL_TYPE_UNKNOWN_DATA:

-	    ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, arec, mrec);

+	    ret = cli_check_mydoom_log(desc, virname);

 	    break;

 	default:

new file mode 100644

@@ -0,0 +1,109 @@

+/*

+ *  Copyright (C) 2004 trog@uncon.org

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <fcntl.h>

+#include <unistd.h>

+

+#include "clamav.h"

+#include "others.h"

+

+

+int cli_check_mydoom_log(int desc, const char **virname)

+{

+	int32_t record[8], check;

+	int i, retval=CL_VIRUS, j;

+

+    cli_dbgmsg("in cli_check_mydoom_log()\n");

+

+    /* Check upto the first five records in the file */

+    for (j=0 ; j<5 ; j++) {

+	if (cli_readn(desc, &record, 32) != 32) {

+	    break;

+	}

+

+	/* Decode the key */

+	record[0] = ~ntohl(record[0]);

+	cli_dbgmsg("Mydoom: key: %lu\n", record[0]);

+	check = 0;

+	for (i=1 ; i<8; i++) {

+	    record[i] = ntohl(record[i]) ^ record[0];

+	    check += record[i];

+	}

+	cli_dbgmsg("Mydoom: check: %lu\n", ~check);

+	if ((~check) != record[0]) {

+	    return CL_CLEAN;

+	}

+    }

+

+    if (j < 2) {

+	retval = CL_CLEAN;

+    } else if (retval==CL_VIRUS) {

+	if(virname)

+	    *virname = "Worm.Mydoom.M.log";

+    }

+

+    return retval;

+}

+

+int cli_check_jpeg_exploit(int fd)

+{

+	unsigned char buffer[4];

+	off_t offset;

+	int retval;

+	

+

+	cli_dbgmsg("in cli_check_jpeg_exploit()\n");

+

+	if (cli_readn(fd, buffer, 2) != 2) {

+		return 0;

+	}

+	

+	if ((buffer[0] != 0xff) && (buffer[1] != 0xd8)) {

+		return 0;

+	}

+	for (;;) {

+		if ((retval=cli_readn(fd, buffer, 4)) != 4) {

+			return 0;

+		}

+		if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {

+			if (buffer[2] == 0x00) {

+				if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {

+					return 1;

+				}

+			}

+		}

+		if (buffer[0] != 0xff) {

+			return -1;

+		}

+		if (buffer[1] == 0xda) {

+			/* End of Image marker */

+			return 0;

+		}

+		offset = ((unsigned int) buffer[2] << 8) + buffer[3];

+		if (offset < 2) {

+			return 2;

+		}

+		offset -= 2;

+		offset += lseek(fd, 0, SEEK_CUR);

+		if (lseek(fd, offset, SEEK_SET) != offset) {

+			return -1;

+		}

+	}

+}

new file mode 100644

@@ -0,0 +1,25 @@

+/*

+ *  Copyright (C) 2004 trog@uncon.org

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#ifndef __SPECIAL_H

+#define __SPECIAL_H

+

+int cli_check_mydoom_log(int desc, const char **virname);

+int cli_check_jpeg_exploit(int fd);

+

+#endif