[Clamav-devel] Issue with FP only on 0.103.1

Mark Allan markjallan at gmail.com
Thu Mar 4 16:16:32 UTC 2021 

Looks like we have another one!
	BC.Img.Exploit.CVE_2018_4891-6453673-2

This is generating loads of FPs as well.

Curiously (and sorry for listing two issues in one email) adding a bytecode signature name (with the .{} suffix) to an ign2 file appears to have no effect. Any thoughts why this might be?

Best regards,
Mark 

> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micasnyd at cisco.com> wrote:
> 
> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same lack of proper FP testing as the other TIFF signature, likely for the same reasons.  After some time reviewing it, I agree that BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped.  This bytecode signature has a relatively high probability to FP on TIFF files that don't include a ColorMap in the IFD header(s), which is also fairly common.  Reworking the signature would is probably not worth the effort considering the CVE is from 2017.
> 
> It should be dropped in the update tomorrow morning.
> 
> Thanks for reaching out Mark.
> 
> Regards,
> Micah
> 
>> -----Original Message-----
>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf Of
>> Micah Snyder (micasnyd)
>> Sent: Monday, February 15, 2021 11:36 AM
>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>> 
>> Oh, sorry I misread your email.  Needed more coffee.  You were asking about
>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>> Will investigate.
>> 
>> -Micah
>> 
>>> -----Original Message-----
>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf
>>> Of Micah Snyder (micasnyd)
>>> Sent: Monday, February 15, 2021 10:28 AM
>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>> 
>>> Hi Mark,
>>> 
>>> TL;DR:  The type detection mismatch is fixed in the current daily + 0.103.1.
>>> The issue was with the signature.  We didn't know about it because of
>>> the mismatch.  You should've found that the offending signature was
>>> dropped on Saturday morning.
>>> 
>>> Details:
>>> 
>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>> from:
>>>  0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>>  0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>> to:
>>>  0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>  0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>> 
>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>> built-in FTM signatures.  So it turns out that daily's FTM file had
>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>> this time, which would've been required for Target:5 signatures to
>>> alert on TIFF files.  As a result, the signature in question "worked"
>>> in testing (with a single LDB file, using built-in FTM), but never
>>> worked in worked during FP testing or in production (with a daily CVD file).
>>> 
>>> When we added this to daily.ftm to support 0.103.1:
>>>  0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>>  0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>> ... all of a sudden a signature which was written for TIFF files
>>> started alerting on TIFF files (as it should've) because the new
>>> CL_TYPE_TIFF also alerts on
>>> Target:5 (graphics) types.  We never added the CL_TYPE_GRAPHICS
>>> variant for 0.103.0 and prior, which is why it appeared to be an issue with
>> 0.103.1.
>>> Perhaps we should?  I'll ask MRT about it.
>>> 
>>> Anyways, this is basically a reminder that we need to make sure daily
>>> FTM and libclamav's FTM are in sync.
>>> 
>>> -Micah
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On Behalf
>>>> Of Mark Allan
>>>> Sent: Saturday, February 13, 2021 3:35 PM
>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>> 
>>>> Thanks. I've just found another one too
>>>> 
>>>> 	BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>> 
>>>> It's triggering on a file that's been part of macOS for many years.
>>>> It's also a tiff file. I can submit this as well if necessary?
>>>> 
>>>> Out of interest, is the type detection mismatch something that can
>>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
>>>> revert it to what it was at 0.103.0?
>>>> 
>>>> Mark
>>>> 
>>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
>>>> <micasnyd at cisco.com> wrote:
>>>>> 
>>>>> It appears to me to be an issue with the signature which is only
>>>>> evident in
>>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
>>>> this
>>> one.
>>>>> 
>>>>> There was apparently a mismatch for TIFF file type detection
>>>>> between the
>>>> file type magic signatures built-in to libclamav
>>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
>>>> (which override the internal ones when loaded).
>>>>> 
>>>>> I'll ask to have the signature dropped and re-evaluated.
>>>>> 
>>>>> -Micah
>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>>>> Behalf Of Micah Snyder (micasnyd)
>>>>>> Sent: Thursday, February 11, 2021 8:27 PM
>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>> 
>>>>>> Thank you Mark! We'll take a look.
>>>>>> 
>>>>>> -Micah
>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>> Behalf
>>>>>>> Of Mark Allan
>>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
>>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>> 
>>>>>>> Hi Micah,
>>>>>>> 
>>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
>>>>>>> the FP page on clamav.net
>>>>>>> 	MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
>>>>>>> 
>>>>>>> Regards
>>>>>>> Mark
>>>>>>> 
>>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
>>>>>>> <micasnyd at cisco.com> wrote:
>>>>>>>> 
>>>>>>>> Hi Mark,
>>>>>>>> 
>>>>>>>> Do you think you could share a sample or two with me to test.
>>>>>>>> I'm really
>>>>>>> curious what changed and would like to debug each version with a
>>>>>>> sample or two.
>>>>>>>> 
>>>>>>>> -Micah
>>>>>>>> 
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: clamav-devel <clamav-devel-bounces at lists.clamav.net> On
>>>>>>>>> Behalf Of Mark Allan
>>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
>>>>>>>>> To: ClamAV Development <clamav-devel at lists.clamav.net>
>>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>> 
>>>>>>>>> Hi all,
>>>>>>>>> 
>>>>>>>>> It looks like the additional image file type support in
>>>>>>>>> 0.103.1 has introduced an issue with a particular signature
>>>>>>>>> which has been in the database since 2018
>>>>>>>>> 
>>>>>>>>> 	Img.Exploit.CVE_2018_4904-6449838-0
>>>>>>>>> 
>>>>>>>>> It's flagging up thousands of known-good files. As far as I
>>>>>>>>> can tell, they're all TIFF files.
>>>>>>>>> 
>>>>>>>>> I've added that signature to an ign2 file for now, but I'm
>>>>>>>>> wondering if there's something else that's maybe amiss
>>>>>>>>> somewhere either with the signature or the 0.103.1 update?
>>>>>>>>> 
>>>>>>>>> Best regards,
>>>>>>>>> Mark
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> 
>>>>>>>>> clamav-devel mailing list
>>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>> 
>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>> 
>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>> 
>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>> _______________________________________________
>>>>>>>> 
>>>>>>>> clamav-devel mailing list
>>>>>>>> clamav-devel at lists.clamav.net
>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>> 
>>>>>>>> Please submit your patches to our Github:
>>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>>> 
>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>> 
>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> 
>>>>>>> clamav-devel mailing list
>>>>>>> clamav-devel at lists.clamav.net
>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>> 
>>>>>>> Please submit your patches to our Github:
>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>> 
>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>> 
>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>> _______________________________________________
>>>>>> 
>>>>>> clamav-devel mailing list
>>>>>> clamav-devel at lists.clamav.net
>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>> 
>>>>>> Please submit your patches to our Github:
>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>> 
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>> 
>>>>>> http://www.clamav.net/contact.html#ml
>>>>> _______________________________________________
>>>>> 
>>>>> clamav-devel mailing list
>>>>> clamav-devel at lists.clamav.net
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>> 
>>>>> Please submit your patches to our Github:
>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>> 
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>> 
>>>>> http://www.clamav.net/contact.html#ml
>>>> 
>>>> _______________________________________________
>>>> 
>>>> clamav-devel mailing list
>>>> clamav-devel at lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>> 
>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>> Talos/clamav-devel/pulls
>>>> 
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>> 
>>>> http://www.clamav.net/contact.html#ml
>>> _______________________________________________
>>> 
>>> clamav-devel mailing list
>>> clamav-devel at lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>> 
>>> Please submit your patches to our Github: https://github.com/Cisco-
>>> Talos/clamav-devel/pulls
>>> 
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>> 
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>> 
>> clamav-devel mailing list
>> clamav-devel at lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>> 
>> Please submit your patches to our Github: https://github.com/Cisco-
>> Talos/clamav-devel/pulls
>> 
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> 
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
> 
> clamav-devel mailing list
> clamav-devel at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
> 
> Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml

More information about the clamav-devel mailing list