Hi Kevin, On Fri, Sep 17, 2004 at 07:59:51AM +0100, Kevin Spicer wrote: > On Fri, 2004-09-17 at 03:02, Tomasz Kojm wrote: > > > Okay, well I've found an easier to understand source... > > > http://www.funducode.com/freec/Fileformats/format3/format3b.htm > > > and it seems that the particular exploit byte sequence would be unique > > > within jpeg files. I've also tracked down docs on how to make a > > > signature for clam, but it doesn't appear that its possible to form a > > > > A new signature format that will be included in 0.80rc will allow on > > advanced offset and target type specification, including JPEG images. > > Cool, as ever you're one step ahead! > > > > signature by detecting two distinct patterns in a file, or anchoring > > > > With older clamav versions you can use HEX1*HEX2*...*HEXn > > That doesn't anchor to the start of the file though (I guess I'd need to > anchor the magic number to minimise false positives). I had just about > guessed, by looking at the sig files after I posted, that the * was a > wildcard (matching many bytes) and the ? a single unknown byte > (correct?). Perhaps this information could be added to signatures.pdf? > Is there a limit (and if so what is it) to how many bytes a * will > match?
0xFFFE is the comment Marker in a JPEG. So it's not that bad to detect. It ist followed by the length field. With is where the Problem occures. So you have to detect the following sequence from the beginning of the JPEG. ffd8 <- SoI marker ffe0 <- APP0 marker 0010 <- lenght of APP0 including those 2 Bytes. 4a46 4946 00 <- string JFIF terminated with 0x00 010[012] <- common Version number. (May differ) -> 0?0? 0[012] <- NA; p/" ; p/cm -> 0? 0010 <- vertical resolution -> ???? 0010 <- horizontal resolution -> ???? 0000 <- preview resolution -> ???? fffe <- comment marker 000[01] <- bad comment length -> 000? So assuming the ? character belongs to 4Bit a signature would look something like this. Xploit.Name (Clam)=ffd8ffe000104a46494600?????????fffe0000 Xploit.Name (Clam)=ffd8ffe000104a46494600?????????fffe0001 thats straight from the beginning but isn't long enoungh. And ClamAV may produce false positives. Btw. the signatures don't work. There should be a SoS Marker somewhere in the Image. 0xFFDA. At the end of the Image there should be a EoI Marker 0xFFD9. 0xffc4 Huffmann Table, 0xffdb Quantization Table, 0xffc0 Start of Frame maybe also a good Idea to check. Xploit.Name.better (Clam)=ffd8ffe000104a464946000?0?0?????????????fffe0000*ffdb*ffc0*ffc4*ffda*ffd9 Xploit.Name.better (Clam)=ffd8ffe000104a464946000?0?0?????????????fffe0001*ffdb*ffc0*ffc4*ffda*ffd9 That would be the signature for a plain JFIF File. No EXIF Tags. But due to many ??? also not a valid Signature. Xploit.Jpeg.Comment.2.FalsePositiv (Clam)=ffd8ffe000104a46494600*fffe0001*ffdb*ffc0*ffda*ffd9 Xploit.Jpeg.Comment.1.FalsePositiv (Clam)=ffd8ffe000104a46494600*fffe0000*ffdb*ffc0*ffda*ffd9 those two are valid and (IMHO) catch the xploit in JFIF and EXIF but may also produce false positives. Just test them. Greetings Daniel -- nur weil ihr paranoid seid heisst das noch lange nicht, dass sie nicht hinter euch her sind ;) ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
