On Thu, 2004-09-16 at 22:24, Kevin Spicer wrote:
> It looks like there are two possible four byte sequences that can
> trigger the exploit.  I guess this is probably too small to avoid an
> unacceptable level of false positives(?)  Presumably this could be
> combined with the 'magic' numbers for jpeg files to improve this, but
> still maybe not narrow enough?  I'm trying to find out whether there is
> a particular place the comment field occurs, but the documentation is
> not very easy to understand without background knowledge.

Okay, well I've found an easier to understand source...
http://www.funducode.com/freec/Fileformats/format3/format3b.htm
and it seems that the particular exploit byte sequence would be unique
within jpeg files.  I've also tracked down docs on how to make a
signature for clam, but it doesn't appear that its possible to form a
signature by detecting two distinct patterns in a file, or anchoring one
to the beginning (maybe it is and this is just not in the signatures.pdf
file?)
To recap I reckon it should be possible to detect this exploit by
matching the magic number anchored to the start of the file.  i.e.
ffd8 ffe0
Then (anywhere in the file) 
fffe 0000 or fffe 0001

But now I'm stuck...




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.




-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to