eliminate false positive matches of Exploit.JPEG.Comment

git-svn: trunk@949
22 years ago · c3a3be2df5
parent ab4038b42d
commit c3a3be2df5
7 changed files with 174 additions and 46 deletions
--- a/clamav-devel/ChangeLog
+++ b/clamav-devel/ChangeLog
@ -1,3 +1,9 @@
+Thu Sep 30 02:19:12 CEST 2004 (tk)
+----------------------------------
+  * libclamav/special.c: add cli_check_jpeg_exploit (by Trog)
+  * libclamav/matcher.c: add additional check to eliminate false positive
+			 matches of Exploit.JPEG.Comment
+
 Tue Sep 28 19:41:39 BST 2004 (njh)
 ----------------------------------
  * libclamav:		Some small speed and size optimisations in MIME decoding
--- a/clamav-devel/libclamav/Makefile.am
+++ b/clamav-devel/libclamav/Makefile.am
@ -116,6 +116,8 @@ libclamav_la_SOURCES = \
 	line.c \
 	line.h \
 	untar.c \
-	untar.h
+	untar.h \
+	special.c \
+	special.h

 lib_LTLIBRARIES = libclamav.la
--- a/clamav-devel/libclamav/Makefile.in
+++ b/clamav-devel/libclamav/Makefile.in
@ -79,7 +79,8 @@ am_libclamav_la_OBJECTS = matcher-ac.lo matcher-bm.lo matcher.lo \
 	blob.lo mbox.lo message.lo snprintf.lo strrcpy.lo table.lo \
 	text.lo ole2_extract.lo vba_extract.lo msexpand.lo pe.lo \
 	cabd.lo lzxd.lo mszipd.lo qtmd.lo system.lo upx.lo htmlnorm.lo \
-	chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo
+	chmunpack.lo rebuildpe.lo petite.lo fsg.lo line.lo untar.lo \
+	special.lo
 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)
 DEFAULT_INCLUDES = -I. -I$(srcdir) -I$(top_builddir)
 depcomp = $(SHELL) $(top_srcdir)/depcomp
@ -99,11 +100,12 @@ am__depfiles_maybe = depfiles
@AMDEP_TRUE@	./$(DEPDIR)/petite.Plo ./$(DEPDIR)/qtmd.Plo \
@AMDEP_TRUE@	./$(DEPDIR)/readdb.Plo ./$(DEPDIR)/rebuildpe.Plo \
@AMDEP_TRUE@	./$(DEPDIR)/scanners.Plo ./$(DEPDIR)/snprintf.Plo \
-@AMDEP_TRUE@	./$(DEPDIR)/str.Plo ./$(DEPDIR)/strc.Plo \
-@AMDEP_TRUE@	./$(DEPDIR)/strrcpy.Plo ./$(DEPDIR)/system.Plo \
-@AMDEP_TRUE@	./$(DEPDIR)/table.Plo ./$(DEPDIR)/text.Plo \
-@AMDEP_TRUE@	./$(DEPDIR)/unrarlib.Plo ./$(DEPDIR)/untar.Plo \
-@AMDEP_TRUE@	./$(DEPDIR)/upx.Plo ./$(DEPDIR)/vba_extract.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/special.Plo ./$(DEPDIR)/str.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/strc.Plo ./$(DEPDIR)/strrcpy.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/system.Plo ./$(DEPDIR)/table.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/text.Plo ./$(DEPDIR)/unrarlib.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/untar.Plo ./$(DEPDIR)/upx.Plo \
+@AMDEP_TRUE@	./$(DEPDIR)/vba_extract.Plo \
@AMDEP_TRUE@	./$(DEPDIR)/zzip-dir.Plo ./$(DEPDIR)/zzip-err.Plo \
@AMDEP_TRUE@	./$(DEPDIR)/zzip-file.Plo \
@AMDEP_TRUE@	./$(DEPDIR)/zzip-info.Plo ./$(DEPDIR)/zzip-io.Plo \
@ -326,7 +328,9 @@ libclamav_la_SOURCES = \
 	line.c \
 	line.h \
 	untar.c \
-	untar.h
+	untar.h \
+	special.c \
+	special.h

 lib_LTLIBRARIES = libclamav.la
 all: all-am
@ -425,6 +429,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuildpe.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scanners.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/snprintf.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/special.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strc.Plo@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strrcpy.Plo@am__quote@
--- a/clamav-devel/libclamav/matcher.c
+++ b/clamav-devel/libclamav/matcher.c
@ -34,6 +34,7 @@
 #include "filetypes.h"
 #include "matcher.h"
 #include "pe.h"
+#include "special.h"

 #define MD5_BLOCKSIZE 4096

@ -176,6 +177,22 @@ int cli_validatesig(unsigned short target, unsigned short ftype, const char *off
 	}
    }

+    if(ftype == CL_TYPE_GRAPHICS && virname && !strcmp(virname, "Exploit.JPEG.Comment")) {
+	    int old;
+
+	if((old = lseek(desc, 0, SEEK_CUR)) == -1) {
+	    cli_dbgmsg("Invalid descriptor\n");
+	    return 0;
+	}
+	lseek(desc, 0, SEEK_SET);
+	if(cli_check_jpeg_exploit(desc) != 1) {
+	    cli_dbgmsg("Eliminated false positive match of Exploit.JPEG.Comment\n");
+	    lseek(desc, old, SEEK_SET);
+	    return 0;
+	}
+	lseek(desc, old, SEEK_SET);
+    }
+
    return 1;
 }

--- a/clamav-devel/libclamav/scanners.c
+++ b/clamav-devel/libclamav/scanners.c
@ -66,6 +66,7 @@ extern int cli_mbox(const char *dir, int desc, unsigned int options); /* FIXME *
 #include "filetypes.h"
 #include "htmlnorm.h"
 #include "untar.h"
+#include "special.h"

 #ifdef HAVE_ZLIB_H
 #include <zlib.h>
@ -734,43 +735,6 @@ static int cli_scanhtml(int desc, const char **virname, long int *scanned, const
    return ret;
 }

-static int  cli_scan_mydoom_log(int desc, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec)
-{
-	int32_t record[8], check;
-	int i, retval=CL_VIRUS, j;
-
-    cli_dbgmsg("in mydoom_log()\n");
-
-    /* Check upto the first five records in the file */
-    for (j=0 ; j<5 ; j++) {
-	if (cli_readn(desc, &record, 32) != 32) {
-	    break;
-	}
-
-	/* Decode the key */
-	record[0] = ~ntohl(record[0]);
-	cli_dbgmsg("Mydoom: key: %lu\n", record[0]);
-	check = 0;
-	for (i=1 ; i<8; i++) {
-	    record[i] = ntohl(record[i]) ^ record[0];
-	    check += record[i];
-	}
-	cli_dbgmsg("Mydoom: check: %lu\n", ~check);
-	if ((~check) != record[0]) {
-	    return CL_CLEAN;
-	}
-    }
-
-    if (j < 2) {
-	retval = CL_CLEAN;
-    } else if (retval==CL_VIRUS) {
-	if(virname)
-	    *virname = "Worm.Mydoom.M.log";
-    }
-
-    return retval;
-}
-
 static int cli_scandir(const char *dirname, const char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, unsigned int options, int *arec, int *mrec)
 {
 	DIR *dd;
@ -1245,7 +1209,7 @@ int cli_magic_scandesc(int desc, const char **virname, long int *scanned, const
 	    }

 	case CL_TYPE_UNKNOWN_DATA:
-	    ret = cli_scan_mydoom_log(desc, virname, scanned, root, limits, options, arec, mrec);
+	    ret = cli_check_mydoom_log(desc, virname);
 	    break;

 	default:
--- a/clamav-devel/libclamav/special.c
+++ b/clamav-devel/libclamav/special.c
@ -0,0 +1,109 @@
+/*
+ *  Copyright (C) 2004 trog@uncon.org
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include "clamav.h"
+#include "others.h"
+
+
+int cli_check_mydoom_log(int desc, const char **virname)
+{
+	int32_t record[8], check;
+	int i, retval=CL_VIRUS, j;
+
+    cli_dbgmsg("in cli_check_mydoom_log()\n");
+
+    /* Check upto the first five records in the file */
+    for (j=0 ; j<5 ; j++) {
+	if (cli_readn(desc, &record, 32) != 32) {
+	    break;
+	}
+
+	/* Decode the key */
+	record[0] = ~ntohl(record[0]);
+	cli_dbgmsg("Mydoom: key: %lu\n", record[0]);
+	check = 0;
+	for (i=1 ; i<8; i++) {
+	    record[i] = ntohl(record[i]) ^ record[0];
+	    check += record[i];
+	}
+	cli_dbgmsg("Mydoom: check: %lu\n", ~check);
+	if ((~check) != record[0]) {
+	    return CL_CLEAN;
+	}
+    }
+
+    if (j < 2) {
+	retval = CL_CLEAN;
+    } else if (retval==CL_VIRUS) {
+	if(virname)
+	    *virname = "Worm.Mydoom.M.log";
+    }
+
+    return retval;
+}
+
+int cli_check_jpeg_exploit(int fd)
+{
+	unsigned char buffer[4];
+	off_t offset;
+	int retval;
+	
+
+	cli_dbgmsg("in cli_check_jpeg_exploit()\n");
+
+	if (cli_readn(fd, buffer, 2) != 2) {
+		return 0;
+	}
+	
+	if ((buffer[0] != 0xff) && (buffer[1] != 0xd8)) {
+		return 0;
+	}
+	for (;;) {
+		if ((retval=cli_readn(fd, buffer, 4)) != 4) {
+			return 0;
+		}
+		if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {
+			if (buffer[2] == 0x00) {
+				if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {
+					return 1;
+				}
+			}
+		}
+		if (buffer[0] != 0xff) {
+			return -1;
+		}
+		if (buffer[1] == 0xda) {
+			/* End of Image marker */
+			return 0;
+		}
+		offset = ((unsigned int) buffer[2] << 8) + buffer[3];
+		if (offset < 2) {
+			return 2;
+		}
+		offset -= 2;
+		offset += lseek(fd, 0, SEEK_CUR);
+		if (lseek(fd, offset, SEEK_SET) != offset) {
+			return -1;
+		}
+	}
+}
--- a/clamav-devel/libclamav/special.h
+++ b/clamav-devel/libclamav/special.h
@ -0,0 +1,25 @@
+/*
+ *  Copyright (C) 2004 trog@uncon.org
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#ifndef __SPECIAL_H
+#define __SPECIAL_H
+
+int cli_check_mydoom_log(int desc, const char **virname);
+int cli_check_jpeg_exploit(int fd);
+
+#endif