Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

bad signatures?

 

 

ClamAV devel RSS feed   Index | Next | Previous | View Threaded


amir73il at users

Jan 1, 2007, 8:12 AM

Post #1 of 5 (1329 views)
Permalink
bad signatures?

Hi,

I think there is a bug in the cli_ac_addpatt() function.

in my kernel module version of clamav, I check for wildcard characters
in the first 2 bytes of the pattern:
for(i = 0; i < AC_MIN_LENGTH; i++) {
// wild card characters not allowed in hash
if (pattern->pattern[i] == CLI_IGN || pattern->pattern[i] == CLI_ALT)
return CL_EPATSHORT;
}

I do that because if such a node is added to the AC trie,
that node will never be found by cli_ac_scanbuff().

there are 2 examples I found in the clamav db for signatures that have
a wildcard character as the 2nd bytes of the pattern:

Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
Trojan.IRC-Script-28:0:*:6e??...

please let me know if I got it wrong.
Thanks,
Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html


edwintorok at gmail

Jan 1, 2007, 11:08 AM

Post #2 of 5 (1249 views)
Permalink
Re: bad signatures? [In reply to]

On 1/1/07, Amir Goldor <amir73il [at] users> wrote:
> Hi,

Hi, please see this thread:
http://lurker.clamav.net/message/20061030.185430.688d1f47.en.html

>
> I think there is a bug in the cli_ac_addpatt() function.
>
> in my kernel module version of clamav, I check for wildcard characters

Is it based on 0.88.x? 0.90 has an improved ac engine.

>
> there are 2 examples I found in the clamav db for signatures that have
> a wildcard character as the 2nd bytes of the pattern:

TK said (in that thread) range wildcards (*,{})). "(59|79)" is not a
range wildcard.

>
> Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> Trojan.IRC-Script-28:0:*:6e??...

Should work in 0.90rc.

Tomasz: please correct me if I am wrong.

Best regards,
Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html


amir73il at users

Jan 2, 2007, 3:55 AM

Post #3 of 5 (1245 views)
Permalink
Re: bad signatures? [In reply to]

On 1/1/07, Török Edvin <edwintorok@???> wrote:

>
> Hi, please see this thread:
> http://lurker.clamav.net/message/20061030.185430.688d1f47.en.html
>

I am not sure this discussion is related to the bug I mentioned.

> >
> > I think there is a bug in the cli_ac_addpatt() function.
> >
> > in my kernel module version of clamav, I check for wildcard characters
>
> Is it based on 0.88.x? 0.90 has an improved ac engine.
>

0.88. I didn't check 0.90 yet.

> >
> > there are 2 examples I found in the clamav db for signatures that have
> > a wildcard character as the 2nd bytes of the pattern:
>
> TK said (in that thread) range wildcards (*,{})). "(59|79)" is not a
> range wildcard.
>

I know that a short part signature is not valid.
the problem I am pointing out is that the 2 signatures below are
"valid" according to 0.88, but they will never be detected.
because of the way that the AC trie works, if the pattern prefix is
6e?? and the input data is 6e6e (for example), it will not match it.

> >
> > Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> > Trojan.IRC-Script-28:0:*:6e??...
>
> Should work in 0.90rc.
>

Thanks,
I will check it.

Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html


amir73il at users

Jan 3, 2007, 5:14 AM

Post #4 of 5 (1229 views)
Permalink
Re: bad signatures? [In reply to]

On 1/1/07, Török Edvin <edwintorok [at] gmail> wrote:
> >
> > I think there is a bug in the cli_ac_addpatt() function.
> >
> > in my kernel module version of clamav, I check for wildcard characters
>
> Is it based on 0.88.x? 0.90 has an improved ac engine.
>
> >
> > there are 2 examples I found in the clamav db for signatures that have
> > a wildcard character as the 2nd bytes of the pattern:
> >
> > Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> > Trojan.IRC-Script-28:0:*:6e??...
>
> Should work in 0.90rc.
>

I checked the 0.90RC2 code.
as far as I can tell, there is a bug and it is still in there:

cli_add_patt() does:
next = pos->trans[((unsigned char) pattern->pattern[i]) & 0xff];

which is futile is case pattern[i] == CLI_ALT or CLI_IGN

Amir.
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html


edwintorok at gmail

Jan 4, 2007, 8:45 AM

Post #5 of 5 (1218 views)
Permalink
Re: bad signatures? [In reply to]

On 1/3/07, Amir Goldor <amir73il [at] users> wrote:
> On 1/1/07, Török Edvin <edwintorok [at] gmail> wrote:
> > >
> > > I think there is a bug in the cli_ac_addpatt() function.
> > >
> > > in my kernel module version of clamav, I check for wildcard characters
> >
> > Is it based on 0.88.x? 0.90 has an improved ac engine.
> >
> > >
> > > there are 2 examples I found in the clamav db for signatures that have
> > > a wildcard character as the 2nd bytes of the pattern:
> > >
> > > Trojan.Bat.DeltreeY-3:0:*:...{-1}2f(59|79)...
> > > Trojan.IRC-Script-28:0:*:6e??...

I checked these signatures, and they work with 0.90rc2.

> >
> > Should work in 0.90rc.
> >
>
> I checked the 0.90RC2 code.
> as far as I can tell, there is a bug and it is still in there:

If you think there still is a bug in 0.90rc2, please open a bugreport
on bugs.clamav.net, and
provide a test case (a signature, and a file that should be detected
by clam, but isn't due to this bug).

>
> cli_add_patt() does:
> next = pos->trans[((unsigned char) pattern->pattern[i]) & 0xff];
>
> which is futile is case pattern[i] == CLI_ALT or CLI_IGN

I don't know much about this code, but I observed the following:
- in case of "6e??3d...": '6e' ends up in pattern->prefix, and 3d...
ends up in pattern->pattern
- ditto for 2f(59|79), it ends up in prefix
- thus cli_add_patt should never deal with CLI_ALT or CLI_IGN, because
cli_ac_add_sig preprocesses the signature


Thus, CLI_ALT, or CLI_IGN is never destroyed by &0xff above.

Indeed in the case of 0.88.x the above isn't true.

Best regards,
Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.