On Mon, Aug 13, 2012 at 4:28 PM, Maarten Broekman <mbroek...@maileig.com>wrote:
> All, > > I've been struggling with this particular issue for some > time and I took a look at the recent git commits, but I'm not sure if > this issue is covered by the fix for BB#5409 (I don't have access to > look at BB#5409 so I'm not sure of the details on it). > > > > I have a PHP.Remoteadmin-3 php script. I have another > file with the EXACT same PHP code in it but it starts with a GIF89a; > header. Running clamscan against the bare PHP.Remoteadmin-3 file yields > the following debug output: > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: cache_check: 6dc368b3d0b9f8e714dd910b7bcdb602 is > negative > > LibClamAV debug: Recognized ASCII text > > LibClamAV debug: Matched signature for file type HTML data at 0 > > LibClamAV debug: in cli_scanhtml() > > LibClamAV debug: cli_scanhtml: using tempdir > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b > > LibClamAV debug: JS-Norm: cli_js_init() done > > LibClamAV debug: JS-Norm: in cli_js_parse_done() > > LibClamAV debug: JS-Norm: dumped/appended normalized script to: > /tmp/clamav-bf38c5b7b8bf1537a090e0e2554ff01b/javascript > > LibClamAV debug: JS-Norm: cli_js_destroy() done > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: FP SIGNATURE: > 6dc368b3d0b9f8e714dd910b7bcdb602:22187:PHP.Remoteadmin-3 > > LibClamAV debug: cli_magic_scandesc: returning 1 at line 2350 > > tmp.php: PHP.Remoteadmin-3 FOUND > > > > Running clamscan on the file with the GIF header yields > the following output: > > LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) > > LibClamAV debug: cache_check: 91aea7e046e095e8f17791189436f860 is > negative > > LibClamAV debug: Recognized GIF file > > LibClamAV debug: in cli_check_jpeg_exploit() > > LibClamAV debug: Matched signature for file type HTML data at 9 > > LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0 > > LibClamAV debug: cache_add: 91aea7e046e095e8f17791189436f860 (level 0) > > LibClamAV debug: cli_magic_scandesc: returning 0 at line 2422 > > leone.php.pjpeg-20120813131847: OK > > > > In the original file, after matching the signature for > an HTML file, clamscan enters 'cli_scanhtml()'. In the GIF headed file, > it sees the GIF file, checks for exploits, then sees the HTML data but > never enters cli_scanhtml(). > > > > Is this fixed by the commits for BB#5409? Or should I > submit a new bugzilla report? > > > > For now, I've added an MD5 checksum to my hdb file to > catch this specific instance, but I'd really like to get this resolved > so that file type transitions don't cause the scan to bail out. > > > > --Maarten > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > The signature in question (PHP.Remoteadmin-3) is an older one inside main.cvd. It searches for a specific sequence anywhere in the file but that signature is specifically marked for HTML files only. What you are seeing in the debug log is the ClamAV matcher reporting that it found the sequence within the GIF file and also reports the signature type [in this case, HTML]. ClamAV is not treating the GIF file content after the header as HTML content. It would be normalizing it and scanning for scripts and other follow-up steps if it were. I don't think it would be efficient to treat all graphics files as archives and scan the binary content. If there is a related exploit, then a new or updated signature will need to be written. If you are seeing this file as a part of a malware attack, then please go to http://www.clamav.net/ and submit this as a malware sample. An analyst may want to contact you about more details. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
