Mailing List Archive: ClamAV: devel

Bypassing Virus Scanners Using MIME Encoding Tricks

Index | Next | Previous | View Threaded

todd at bayleys

Dec 8, 2006, 1:50 AM

Post #1 of 4 (1302 views)
Permalink

Bypassing Virus Scanners Using MIME Encoding Tricks

Hi,

have you noticed?
http://www.quantenblog.net/security/virus-scanner-bypass

ClamAV is affected in two ways:

a) With a tricky (but standard conformant) way of BASE 64 encoding
virusses will not be detected.

b) With a high number of nested multiparts in a MIME message clamd can
be forced into a stack overflow. I was able to reproduce this with a
1000 nested multiparts on a 64 MB machine. - This needs no uncommon
BASE 64 encoding just the multiparts.

The author of that analysis provided an example for this exploit.

Regards,

Todd

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

tomek-clam-devel at lodz

Dec 8, 2006, 1:51 PM

Post #2 of 4 (1221 views)
Permalink

Re: Bypassing Virus Scanners Using MIME Encoding Tricks [In reply to]

On Fri, 08 Dec 2006 at 10:50:54 +0100, Torsten Nitschke wrote:
> Hi,
>
> have you noticed?
> http://www.quantenblog.net/security/virus-scanner-bypass
>
[...]

Yes.

http://lurker.clamav.net/message/20061207.160741.1cde311c.en.html

("Already fixed in CVS").

P.S.
Torsten, seems your machine clock is 10 hours late.

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

ticho at gentoo

Dec 10, 2006, 7:50 AM

Post #3 of 4 (1209 views)
Permalink

Re: Bypassing Virus Scanners Using MIME Encoding Tricks [In reply to]

On Fri, 8 Dec 2006 22:51:46 +0100
Tomasz Papszun <tomek-clam-devel [at] lodz> wrote:

> On Fri, 08 Dec 2006 at 10:50:54 +0100, Torsten Nitschke wrote:
> > Hi,
> >
> > have you noticed?
> > http://www.quantenblog.net/security/virus-scanner-bypass
> >
> [...]
>
> Yes.
>
> http://lurker.clamav.net/message/20061207.160741.1cde311c.en.html
>
> ("Already fixed in CVS").
>
> P.S.
> Torsten, seems your machine clock is 10 hours late.
>

Hello,

I'm trying to backport the fix in CVS for this[1], but all I can achieve is
that the virus is caught. If enough base64 nestings are used, clamd still
dies. Patch I'm using is attached.

Can you please provide a "more proper" patch for 0.88.6? Alternately, are you
planning to release 0.88.7 anytime soon?

1. http://cvsweb.clamav.net/bin/cgi/viewvc.cgi/clamav-devel/libclamav/message.c?r1=1.191&r2=1.192

Thanks and kind regards,
--
Andrej "Ticho" Kacian <ticho at gentoo dot org>
Gentoo Linux Developer - net-mail, antivirus, sound, x86

Attachments:

signature.asc (0.18 KB)

tomek-clam-devel at lodz

Dec 11, 2006, 11:08 AM

Post #4 of 4 (1197 views)
Permalink

Re: Re: Bypassing Virus Scanners Using MIME Encoding Tricks [In reply to]

On Sun, 10 Dec 2006 at 16:50:22 +0100, Andrej Kacian wrote:
>
> I'm trying to backport the fix in CVS for this[1], but all I can achieve is
> that the virus is caught. If enough base64 nestings are used, clamd still
> dies. Patch I'm using is attached.
>
> Can you please provide a "more proper" patch for 0.88.6? Alternately, are you
> planning to release 0.88.7 anytime soon?
>
> 1. http://cvsweb.clamav.net/bin/cgi/viewvc.cgi/clamav-devel/libclamav/message.c?r1=1.191&r2=1.192
>

ClamAV 0.88.7 has been released this afternoon.

http://www.clamav.net/stable.php#pagestart

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads