Re: [Clamav-users] 0.80rc and the new .ndb sig file format
On Tue, 2004-09-21 at 02:21, Tomasz Kojm wrote:
> It seems there's a small type in filetypes.c. Try changing
>
> {0, "\377\330\377", 4, "JPEG", CL_TYPE_GRAPHICS},
>
> to
>
> {0, "\377\330\377", 3, "JPEG", CL_TYPE_GRAPHICS}
That did the trick, thanks very much Tomasz.
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material. If you have received this in error, please contact the
sender and delete this message immediately. Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited. BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] 0.80rc and the new .ndb sig file format
On Tue, 21 Sep 2004 01:06:23 +0100
Kevin Spicer <[EMAIL PROTECTED]> wrote:
> I'm just playing about with this and I can't seem to get it to work
> quite the way I expect. I've created two signatures, to match the
> jpeg exploit we discussed recently. My idea is that although the
> signature is very small it minimises false positives by being
> restricted to graphics files and then looking for the jpeg magic
> number at the start of the file. Since we established the other day
> that the four byte sequence that triggers the exploit can't appear in
> a genuine jpeg this should be okay.
> Anyway, I created signatures in local.ndb as follows...
>
> Exploit.Jpeg.comment.1:5:0:ffd8*fffe
> Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001
>
> And tried scanning the exploit sample from here
> http://www.gulftech.org/?node=downloads
> Nothing!
> Trying again with --debug I see this message
> LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2)
> LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1)
That means it doesn't recognize JPEG as CL_TYPE_GRAPHICS but as
CL_TYPE_UNKNOWN_DATA.
It seems there's a small type in filetypes.c. Try changing
{0, "\377\330\377", 4, "JPEG", CL_TYPE_GRAPHICS},
to
{0, "\377\330\377", 3, "JPEG", CL_TYPE_GRAPHICS}
--
oo. Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Tue Sep 21 03:16:15 CEST 2004
pgpAD8YoX4gYB.pgp
Description: PGP signature
[Clamav-users] 0.80rc and the new .ndb sig file format
I'm just playing about with this and I can't seem to get it to work quite the way I expect. I've created two signatures, to match the jpeg exploit we discussed recently. My idea is that although the signature is very small it minimises false positives by being restricted to graphics files and then looking for the jpeg magic number at the start of the file. Since we established the other day that the four byte sequence that triggers the exploit can't appear in a genuine jpeg this should be okay. Anyway, I created signatures in local.ndb as follows... Exploit.Jpeg.comment.1:5:0:ffd8*fffe Exploit.Jpeg.comment.2:5:0:ffd8*fffe0001 And tried scanning the exploit sample from here http://www.gulftech.org/?node=downloads Nothing! Trying again with --debug I see this message LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.2) LibClamAV debug: Type: 501, expected: 514 (Exploit.Jpeg.comment.1) I only seem able to get this to work by changing the target type in the sig to 0 i.e. Exploit.Jpeg.comment.1:0:0:ffd8*fffe Exploit.Jpeg.comment.2:0:0:ffd8*fffe0001 At which point it all works, but surely it should work with a target type of 5? BTW. I tried both scanning the jpg and a message containing it same result BTW2. Symantec is now detecting this exploit as Bloodhound.exploit.13 BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
