On Thu, 2004-09-16 at 22:24, Kevin Spicer wrote: > It looks like there are two possible four byte sequences that can > trigger the exploit. I guess this is probably too small to avoid an > unacceptable level of false positives(?) Presumably this could be > combined with the 'magic' numbers for jpeg files to improve this, but > still maybe not narrow enough? I'm trying to find out whether there is > a particular place the comment field occurs, but the documentation is > not very easy to understand without background knowledge.
Okay, well I've found an easier to understand source... http://www.funducode.com/freec/Fileformats/format3/format3b.htm and it seems that the particular exploit byte sequence would be unique within jpeg files. I've also tracked down docs on how to make a signature for clam, but it doesn't appear that its possible to form a signature by detecting two distinct patterns in a file, or anchoring one to the beginning (maybe it is and this is just not in the signatures.pdf file?) To recap I reckon it should be possible to detect this exploit by matching the magic number anchored to the start of the file. i.e. ffd8 ffe0 Then (anywhere in the file) fffe 0000 or fffe 0001 But now I'm stuck... BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
