[Clamav-devel] Multipart form data virus file detection

Brandon Perry bperry.volatile at gmail.com
Tue Aug 18 14:40:56 EDT 2015


Comments in line:


On Tue, Aug 18, 2015 at 1:24 PM, P K <pkopensrc at gmail.com> wrote:

> Hi Guys,
>
>
> I see when a virus file is uploaded as multipart/formdata its not detected
> properly by ClamAv. If its not multipart/formdata it works properly.
>
> I see few windows servers uploads file using multipart.
>
> Any idea or pointer why it doesn't work with multipart/forms?
>
> md5sum exploit.pdf
> a3e8a7602797c69f6320225e8137d063  exploit.pdf
>
> I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
> Windows server and its not detected by ClamAv Antivirus.
>
> *I tried with detect-pua also and it didn't worked for me*.
>
> It works fine with curl and other software. *Maybe we have to handle
> separately for windows server*.
>


What is the curl command you are running where it works?



>
> *Below is output of virus file to clamav: *
>
> Content-Disposition: form-data; name="__EVENTVALIDATION"
>
> /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="destination"
>
>
>
>
>
>
> */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
> form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
> filename="exploit.pdf"Content-Type: application/force-download*
> %PDF-1.1
> 1 0 obj
> << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
> endobj
> 2 0 obj
> << /Type /Outlines /Count 0 >>
> endobj
> 3 0 obj
> << /Type /Pages /Kids [4 0 R] /Count 1 >>
> endobj
> 4 0 obj
> << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
> endobj
> 5 0 obj
> << /Type /Action /S /JavaScript /JS (
>   VIRUS DATA .....................
> ...........................................
>
>         spray_heap();
>         trigger_bug();
>
>         ) >>
> endobj
> xref
> 0 6
> 0000000000 65535 f
> 0000000010 00000 n
> 0000000096 00000 n
> 0000000145 00000 n
> 0000000205 00000 n
> 0000000279 00000 n
> trailer
> << /Size 6 /Root 1 0 R >>
> startxref
> 1787
> %%EOF
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data;
> name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
>
> on
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="__spText1"
>
>
> -----------------------------2115494419135284048261958385
>

Detection of PDF viruses likely depend on the body of the request being a
pure PDF document, not a multipart form with a PDF in one of the parts.
This is totally dependent on the way the signature was written.


> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website


More information about the clamav-devel mailing list