All,
I've been struggling with this particular issue for some
time and I took a look at the recent git commits, but I'm not sure if
this issue is covered by the fix for BB#5409 (I don't have access to
look at BB#5409 so I'm not sure of the details on it).
I have a PHP.Remoteadmin-3 php script. I have another
file with the EXACT same PHP code in it but it starts with a GIF89a;
header. Running clamscan against the bare PHP.Remoteadmin-3 file yields
the following debug output:
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: 6dc368b3d0b9f8e714dd910b7bcdb602 is
negative
LibClamAV debug: Recognized ASCII text
LibClamAV debug: Matched signature for file type HTML data at 0
LibClamAV debug: in cli_scanhtml()
LibClamAV debug: cli_scanhtml: using tempdir
/tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b
LibClamAV debug: JS-Norm: cli_js_init() done
LibClamAV debug: JS-Norm: in cli_js_parse_done()
LibClamAV debug: JS-Norm: dumped/appended normalized script to:
/tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b/javascript
LibClamAV debug: JS-Norm: cli_js_destroy() done
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: FP SIGNATURE:
6dc368b3d0b9f8e714dd910b7bcdb602:22187:PHP.Remoteadmin-3
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350
tmp.php: PHP.Remoteadmin-3 FOUND
Running clamscan on the file with the GIF header yields
the following output:
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: 91aea7e046e095e8f17791189436f860 is
negative
LibClamAV debug: Recognized GIF file
LibClamAV debug: in cli_check_jpeg_exploit()
LibClamAV debug: Matched signature for file type HTML data at 9
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: cache_add: 91aea7e046e095e8f17791189436f860 (level 0)
LibClamAV debug: cli_magic_scandesc: returning 0 at line 2422
leone.php.pjpeg-20120813131847: OK
In the original file, after matching the signature for
an HTML file, clamscan enters 'cli_scanhtml()'. In the GIF headed file,
it sees the GIF file, checks for exploits, then sees the HTML data but
never enters cli_scanhtml().
Is this fixed by the commits for BB#5409? Or should I
submit a new bugzilla report?
For now, I've added an MD5 checksum to my hdb file to
catch this specific instance, but I'd really like to get this resolved
so that file type transitions don't cause the scan to bail out.
--Maarten
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
