[Community-sigs] Request update to signature for CVE-2018-8298

Dan Bodart dan.bodart at triptease.com
Thu Dec 5 05:52:09 EST 2019 

The current signature for CVE-2018-8298 is generating many false positives
for modern websites that use the modern Javascript internationalisation
support under Intl.DateTimeFormat and Intl.NumberFormat. As Google Safe
Browsing uses ClamAV this can cause a whole business to at risk of going
out of business if they rely on web traffic (as most do)

As listed on https://www.exploit-db.com/exploits/45217 the exploit requires
not using the functions as constructors and calling apply directly passing
in the same object 3 times to each of the methods.

Exploit example:

let object = {};
Intl.NumberFormat.apply(object);
Intl.DateTimeFormat.apply(object);
Intl.DateTimeFormat.prototype.formatToParts.apply(object);



The current signature definition is as follows:

VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-1
TDB: Engine:81-255,Target:3
LOGICAL EXPRESSION: 0&1&2&3
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
formatToParts{WILDCARD_ANY_STRING(LENGTH<=25)}.apply
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
DateTimeFormat
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
NumberFormat
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
.prototype


The definition is incredibly broad in its scope

   1. It matches on ".prototype" which virtually every single Javascript
   file in the world would match on. Recommendation remove or combine with
   formatToParts
   2. It matches on any use of "DateTimeFormat" or "NumberFormat".
   Recommendation only match when "apply" and it is prefixed by "Intl" is
   called as this is required by the exploit.
   3. It matched formatToParts followed by up to 25 characters later apply.
   Recommendation don't add a random 25 character gap as it's just security
   theatre and make it explicit on which object



So here is my updated logical signature

VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-2
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Intl.DateTimeFormat.prototype.formatToParts.apply
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Intl.DateTimeFormat.apply
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
Intl.NumberFormat.apply


And here it is encoded:

Html.Exploit.CVE_2018_8298-6602925-2;Engine:81-255,Target:3;0&1&2;496e746c2e4461746554696d65466f726d61742e70726f746f747970652e666f726d6174546f50617274732e6170706c790a::i;496e746c2e4461746554696d65466f726d61742e6170706c790a::i;496e746c2e4e756d626572466f726d61742e6170706c790a::i



Please let me know if I got anything wrong.

Kind regards

Dan

More information about the Community-sigs mailing list