On Thu, 16 Sep 2004 22:58:54 +0100 Kevin Spicer <[EMAIL PROTECTED]> wrote:
> On Thu, 2004-09-16 at 22:24, Kevin Spicer wrote: > > It looks like there are two possible four byte sequences that can > > trigger the exploit. I guess this is probably too small to avoid an > > unacceptable level of false positives(?) Presumably this could be > > combined with the 'magic' numbers for jpeg files to improve this, > > but still maybe not narrow enough? I'm trying to find out whether > > there is a particular place the comment field occurs, but the > > documentation is not very easy to understand without background > > knowledge. > > Okay, well I've found an easier to understand source... > http://www.funducode.com/freec/Fileformats/format3/format3b.htm > and it seems that the particular exploit byte sequence would be unique > within jpeg files. I've also tracked down docs on how to make a > signature for clam, but it doesn't appear that its possible to form a A new signature format that will be included in 0.80rc will allow on advanced offset and target type specification, including JPEG images. > signature by detecting two distinct patterns in a file, or anchoring With older clamav versions you can use HEX1*HEX2*...*HEXn -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Fri Sep 17 03:58:30 CEST 2004
pgpVsfyOzqhcr.pgp
Description: PGP signature
