@@ -1,3 +1,8 @@

+Fri Jul  9 04:14:37 CEST 2004 (tk)

+----------------------------------

+  * libclamav: pe: detect skewed UPX1 (patch by aCaB)

+  * libclamav: use new rule set for HTML detection (thanks to Trog)

+

 Thu Jul  8 23:23:34 BST 2004 (njh)

 ----------------------------------

   * clamav-milter:	Validate arguments given to inet_ntop. This

@@ -112,27 +112,22 @@ static const struct cli_magic_s cli_magic[] = {

 static const struct cli_smagic_s cli_smagic[] = {

-    /* <html>*<body */

     /* "From: " * "Content-Type: " */

     {"46726f6d3a20*436f6e74656e742d547970653a20",    "Mail file", CL_MAILFILE},

-    /* matcher is case sensitive - we have to check all variants of <html> */

-    {"3c68746d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48746d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68546d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68744d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68746d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48546d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48744d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48746d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68544d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68546d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68744d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48544d6c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48744d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c68544d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48546d4c3e",    "HTML data", CL_HTMLFILE},

-    {"3c48544d4c3e",    "HTML data", CL_HTMLFILE},

+    /* remember the matcher is case sensitive */

+    {"3c62723e",    "HTML data", CL_HTMLFILE},	/* <br> */

+    {"3c42723e",    "HTML data", CL_HTMLFILE},	/* <Br> */

+    {"3c42523e",    "HTML data", CL_HTMLFILE},	/* <BR> */

+    {"3c703e",	    "HTML data", CL_HTMLFILE},	/* <p> */

+    {"3c503e",	    "HTML data", CL_HTMLFILE},	/* <P> */

+    {"68726566",    "HTML data", CL_HTMLFILE},	/* href */

+    {"48726566",    "HTML data", CL_HTMLFILE},	/* Href */

+    {"48524546",    "HTML data", CL_HTMLFILE},	/* HREF */

+    {"3c666f6e74",  "HTML data", CL_HTMLFILE},	/* <font */

+    {"3c466f6e74",  "HTML data", CL_HTMLFILE},	/* <Font */

+    {"3c464f4e54",  "HTML data", CL_HTMLFILE},	/* <FONT */

+

     {NULL,  NULL,   CL_UNKNOWN_TYPE}

 };

@@ -47,6 +47,7 @@ pthread_mutex_t cl_gentemp_mutex = PTHREAD_MUTEX_INITIALIZER;

 #include "clamav.h"

 #include "others.h"

 #include "md5.h"

+#include "cltypes.h"

 #define CL_FLEVEL 2 /* don't touch it */

@@ -453,3 +454,19 @@ int cli_writen(int fd, void *buff, unsigned int count)

         return count;

 }

+int32_t cli_readint32(const char *buff)

+{

+	int32_t ret, shift, i = 0;

+

+#if WORDS_BIGENDIAN == 0

+    ret = *(int32_t *) buff;

+#else

+    ret = 0;

+    for(shift = 0; shift < 32; shift += 8) {

+      ret |= (buff[i] & 0xff ) << shift;

+      i++;

+    }

+#endif

+

+    return ret;

+}

@@ -21,6 +21,7 @@

 #include <stdio.h>

 #include <stdlib.h>

+#include "cltypes.h"

 void cli_warnmsg(const char *str, ...);

 void cli_errmsg(const char *str, ...);

@@ -32,5 +33,6 @@ int cli_rmdirs(const char *dirname);

 char *cli_md5stream(FILE *fd);

 int cli_readn(int fd, void *buff, unsigned int count);

 int cli_writen(int fd, void *buff, unsigned int count);

+int32_t cli_readint32(const char *buff);

 #endif

@@ -234,7 +234,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	struct pe_image_optional_hdr optional_hdr;

 	struct pe_image_section_hdr *section_hdr;

 	struct stat sb;

-	char sname[9], buff[24], *tempfile;

+	char sname[9], buff[126], *tempfile;

 	int i, found, upx_success = 0, broken = 0;

 	int (*upxfn)(char *, int , char *, int) = NULL;

@@ -470,6 +470,12 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	    return CL_CLEAN;

 	}

+	if(ssize <= 0x19 || dsize <= ssize) { /* FIXME: What are reasonable values? */

+	    cli_dbgmsg("UPX: Size mismatch (ssize: %d, dsize: %d)\n", ssize, dsize);

+	    return CL_CLEAN;

+	}

+

+

 	/* FIXME: use file operations in case of big files */

 	if((src = (char *) cli_malloc(ssize)) == NULL) {

 	    free(section_hdr);

@@ -493,39 +499,50 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	/* try to detect UPX code */

-	if(lseek(desc, ep + 0x69, SEEK_SET) == -1) {

+	if(lseek(desc, ep, SEEK_SET) == -1) {

 	    cli_dbgmsg("lseek() failed\n");

 	    free(section_hdr);

 	    return CL_EIO;

 	}

-	if(read(desc, buff, 21) != 21) {

-	    cli_dbgmsg("UPX: Can't read 21 bytes at 0x%x (%d)\n", ep + 0x69, ep + 0x78);

+	if(read(desc, buff, 126) != 126) { /* i.e. 0x69 + 13 + 8 */

+	    cli_dbgmsg("UPX: Can't read 126 bytes at 0x%x (%d)\n", ep, ep);

 	    return CL_EIO;

 	} else {

-	    if(cli_memstr(UPX_NRV2B, 24, buff, 13) || cli_memstr(UPX_NRV2B, 24, buff + 8, 13)) {

+	    if(cli_memstr(UPX_NRV2B, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2B, 24, buff + 0x69 + 8, 13)) {

 		cli_dbgmsg("UPX: Looks like a NRV2B decompression routine\n");

 		upxfn = upx_inflate2b;

-	    } else if(cli_memstr(UPX_NRV2D, 24, buff, 13) || cli_memstr(UPX_NRV2D, 24, buff + 8, 13)) {

+	    } else if(cli_memstr(UPX_NRV2D, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2D, 24, buff + 0x69 + 8, 13)) {

 		cli_dbgmsg("UPX: Looks like a NRV2D decompression routine\n");

 		upxfn = upx_inflate2d;

-	    } else if(cli_memstr(UPX_NRV2E, 24, buff, 13) || cli_memstr(UPX_NRV2E, 24, buff + 8, 13)) {

+	    } else if(cli_memstr(UPX_NRV2E, 24, buff + 0x69, 13) || cli_memstr(UPX_NRV2E, 24, buff + 0x69 + 8, 13)) {

 		cli_dbgmsg("UPX: Looks like a NRV2E decompression routine\n");

 		upxfn = upx_inflate2e;

 	    }

 	}

 	if(upxfn) {

-	    if(upxfn(src, ssize, dest, dsize)) {

-		cli_dbgmsg("UPX: Prefered decompressor failed\n");

+		int ret, skew = cli_readint32(buff + 2) - EC32(optional_hdr.ImageBase) - EC32(section_hdr[i+1].VirtualAddress);

+

+	    if(buff[1] != '\xbe' || skew <= 0 || skew > 0x2e ) { /* FIXME: legit skews?? */

+		skew = 0; 

+		if(!upxfn(src, ssize, dest, dsize))

+		    upx_success = 1;

+

 	    } else {

-		upx_success = 1;

-		cli_dbgmsg("UPX: Successfully decompressed\n");

+		cli_dbgmsg("UPX: UPX1 seems skewed by %d bytes\n", skew);

+		if(!upxfn(src + skew, ssize - skew, dest, dsize) || !upxfn(src, ssize, dest, dsize))

+		    upx_success = 1;

 	    }

+

+	    if(upx_success)

+		cli_dbgmsg("UPX: Successfully decompressed\n");

+	    else

+		cli_dbgmsg("UPX: Prefered decompressor failed\n");

 	}

 	if(!upx_success && upxfn != upx_inflate2b) {

-	    if(upx_inflate2b(src, ssize, dest, dsize)) {

+	    if(upx_inflate2b(src, ssize, dest, dsize) && upx_inflate2b(src + 0x15, ssize - 0x15, dest, dsize) ) {

 		cli_dbgmsg("UPX: NRV2B decompressor failed\n");

 	    } else {

 		upx_success = 1;

@@ -534,7 +551,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	}

 	if(!upx_success && upxfn != upx_inflate2d) {

-	    if(upx_inflate2d(src, ssize, dest, dsize)) {

+	    if(upx_inflate2d(src, ssize, dest, dsize) && upx_inflate2d(src+0x15, ssize-0x15, dest, dsize) ) {

 		cli_dbgmsg("UPX: NRV2D decompressor failed\n");

 	    } else {

 		upx_success = 1;

@@ -543,7 +560,7 @@ int cli_scanpe(int desc, const char **virname, long int *scanned, const struct c

 	}

 	if(!upx_success && upxfn != upx_inflate2e) {

-	    if(upx_inflate2e(src, ssize, dest, dsize)) {

+	    if(upx_inflate2e(src, ssize, dest, dsize) && upx_inflate2e(src + 0x15, ssize - 0x15, dest, dsize) ) {

 		cli_dbgmsg("UPX: NRV2E decompressor failed\n");

 	    } else {

 		upx_success = 1;