Torsten Nitschke | 8 Dec 10:50 2006
Picon
Picon

Bypassing Virus Scanners Using MIME Encoding Tricks

Hi,

have you noticed?
http://www.quantenblog.net/security/virus-scanner-bypass

ClamAV is affected in two ways:

a) With a tricky (but standard conformant) way of BASE 64 encoding 
virusses will not be detected.

b) With a high number of nested multiparts in a MIME message clamd can 
be forced into a stack overflow. I was able to reproduce this with a 
1000 nested multiparts on a 64 MB machine. - This needs no uncommon 
BASE 64 encoding just the multiparts.

The author of that analysis provided an example for this exploit.

Regards,

  Todd

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Tomasz Papszun | 8 Dec 22:51 2006
Picon

Re: Bypassing Virus Scanners Using MIME Encoding Tricks

On Fri, 08 Dec 2006 at 10:50:54 +0100, Torsten Nitschke wrote:
> Hi,
> 
> have you noticed?
> http://www.quantenblog.net/security/virus-scanner-bypass
> 
[...]

Yes.

http://lurker.clamav.net/message/20061207.160741.1cde311c.en.html

("Already fixed in CVS").

P.S.
Torsten, seems your machine clock is 10 hours late.

--

-- 
 Tomasz Papszun    SysAdm  <at>  TP S.A. Lodz, Poland    | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Andrej Kacian | 10 Dec 16:50 2006
Picon

Re: Bypassing Virus Scanners Using MIME Encoding Tricks

On Fri, 8 Dec 2006 22:51:46 +0100
Tomasz Papszun <tomek-clam-devel <at> lodz.tpsa.pl> wrote:

> On Fri, 08 Dec 2006 at 10:50:54 +0100, Torsten Nitschke wrote:
> > Hi,
> > 
> > have you noticed?
> > http://www.quantenblog.net/security/virus-scanner-bypass
> > 
> [...]
> 
> Yes.
> 
> http://lurker.clamav.net/message/20061207.160741.1cde311c.en.html
> 
> ("Already fixed in CVS").
> 
> P.S.
> Torsten, seems your machine clock is 10 hours late.
> 

Hello,

I'm trying to backport the fix in CVS for this[1], but all I can achieve is
that the virus is caught. If enough base64 nestings are used, clamd still
dies. Patch I'm using is attached.

Can you please provide a "more proper" patch for 0.88.6? Alternately, are you
planning to release 0.88.7 anytime soon?

(Continue reading)

Tomasz Papszun | 11 Dec 20:08 2006
Picon

Re: Re: Bypassing Virus Scanners Using MIME Encoding Tricks

On Sun, 10 Dec 2006 at 16:50:22 +0100, Andrej Kacian wrote:
> 
> I'm trying to backport the fix in CVS for this[1], but all I can achieve is
> that the virus is caught. If enough base64 nestings are used, clamd still
> dies. Patch I'm using is attached.
> 
> Can you please provide a "more proper" patch for 0.88.6? Alternately, are you
> planning to release 0.88.7 anytime soon?
> 
> 1. http://cvsweb.clamav.net/bin/cgi/viewvc.cgi/clamav-devel/libclamav/message.c?r1=1.191&r2=1.192
> 

ClamAV 0.88.7 has been released this afternoon.

http://www.clamav.net/stable.php#pagestart

--

-- 
 Tomasz Papszun    SysAdm  <at>  TP S.A. Lodz, Poland    | And it's only
 tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros.
 tomek at clamav.net   http://www.ClamAV.net/   A GPL virus scanner
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

刘健 | 13 Dec 01:58 2006

questions about match

Hello:
    I just join this maillist.
    And I have some question about that clamAV match pattern.
    1 I read a bit source code, but I think clamAV don't treat a 
      file as virus if the file only match a hex signature. Only 
      match a MD5 signature that the file will treated as virus, 
      isn't it?
    2 There exists some virus that can infect all the .exe files.
      So, any of these .exe files will treated as virus, can    
      clamAV check out these files?

    Thanks all!

----------------
LIUJ NetEye IPS

----------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s) is
intended only for the use of the intended recipient and may be confidential and/or privileged of Neusoft
Group Ltd., its subsidiaries and/or its affiliates. If any reader of this communication is not the
intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying is
strictly prohibited, and may be unlawful. If you have received this communication in error, please
immediately notify the sender by return e-mail, and delete the original message and all copies from your
system. Thank you. 
-----------------------------------------------------------------------------------------------

_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

(Continue reading)

Hendrik Weimer | 14 Dec 09:58 2006
Picon

Bug#403034: Deep MIME Nesting Content Filter Bypass

Package: clamav
Version: 0.88.7-1
Severity: grave
Tags: security

While the new 0.88.7 version fixes CVE-2006-6406 and CVE-2006-6481 the
update introduces another flaw that lets viruses pass undetected. If a
virus is nested deeper than the --max-mail-recursion limit, the file
will pass and ClamAV's exit code indicates that the file was scanned
properly.

Again, details, PoC, and discussion can be found at
http://www.quantenblog.net/security/virus-scanner-bypass.

Renato Botelho | 14 Dec 13:23 2006
Picon

Problems building 20061214 snapshot

I was trying to build the 20061214 snapshot and got this error:

 cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./mspack -I./unrar
-I/usr/local/include -I../libclamav -O2 -fno-strict-aliasing -pipe -c
rtf.c -o rtf.o >/dev/null 2>&1
/bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H  -I.
-I. -I.. -I.. -I./mspack -I./unrar  -I/usr/local/include
-I../libclamav   -O2 -fno-strict-aliasing -pipe -c -o blob.lo blob.c
 cc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I./mspack -I./unrar
-I/usr/local/include -I../libclamav -O2 -fno-strict-aliasing -pipe -c
blob.c  -fPIC -DPIC -o .libs/blob.o
blob.c: In function `fileblobAddData':
blob.c:512: error: structure has no member named `bytes_scanned'
blob.c:515: error: structure has no member named `bytes_scanned'
blob.c:520: error: structure has no member named `bytes_scanned'
*** Error code 1

I made this attached patch and it built fine, is it ok?

Thanks
--

-- 
Renato Botelho
Attachment (patch-libclamav_blob.h): application/octet-stream, 336 bytes
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Stephen Gran | 17 Dec 02:45 2006
Picon

implicit function declarations patch

Hello all,

Pretty straight forward stuff, really.

Thanks,

Index: clamd/tcpserver.c
===================================================================
--- clamd/tcpserver.c   (revision 274)
+++ clamd/tcpserver.c   (working copy)
 <at>  <at>  -28,6 +28,9  <at>  <at> 
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 #ifndef        C_WINDOWS
 #include <sys/socket.h>
 #include <netinet/in.h>
Index: clamd/localserver.c
===================================================================
--- clamd/localserver.c (revision 274)
+++ clamd/localserver.c (working copy)
 <at>  <at>  -28,6 +28,9  <at>  <at> 
 #include <sys/stat.h>
 #include <sys/un.h>
 #include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
(Continue reading)

Stephen Gran | 19 Dec 02:45 2006
Picon

a cry for help

Hello all,

I've tried before, and failed, mostly due to the fact that I treat email
as a real time communication mechanism, when it clearly isn't.  Currently,
the Debian packages of clamav carry a 1.5-2.0 MB diff with every release,
since I have to re-autotool the source in order to make it build on
some of the architectures Debian supports.  I would love to see this
end (mostly for the admittedly selfish reason of not having to forward
port the patch or deal with the pain of re-autotoling every release),
but also because it will make the generic upstream tarball more portable.

My past failures have mostly been that I propose a patch against
a released version that does not apply to cvs, or I propose a patch
against cvs that does not apply due to the often laggy nature of email
based communication.  So, I propose this:

I can be found in #clamav on the freenode network of irc, or #debian-devel
on oftc.  If any of the devel team are interested in updating the
autotools tree, /msg me and I will update whatever source tree is deemed
appropriate, and give a url to an approriate patch.  I am willing to do
whatever would be useful to make this issue disappear.  If you want to
do it by phone even, email me off list and we can set something up.

Thanks all,
--

-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | Hmmm ... A hash-singer and a cross-eyed |
|  steve <at> lobefin.net             | guy were SLEEPING on a deserted island, |
|  http://www.lobefin.net/~steve | when ...                                |
 --------------------------------------------------------------------------
(Continue reading)

aCaB | 20 Dec 16:34 2006
Picon

Re: implicit function declarations patch

Stephen Gran wrote:
> Hello all,
> 
> Pretty straight forward stuff, really.
> 

Applied, thanks!

-aCaB
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html


Gmane