[Community-sigs] Request update to signature for CVE-2018-8298
Alain Zidouemba
azidouemba at sourcefire.com
Thu Dec 5 15:51:59 EST 2019
Dan:
Thank you for taking the time to perform this analysis. An analyst is
reviewing your submission and we will get back to you as soon as possible.
- Alain
On Thu, Dec 5, 2019 at 5:52 AM Dan Bodart <dan.bodart at triptease.com> wrote:
> The current signature for CVE-2018-8298 is generating many false positives
> for modern websites that use the modern Javascript internationalisation
> support under Intl.DateTimeFormat and Intl.NumberFormat. As Google Safe
> Browsing uses ClamAV this can cause a whole business to at risk of going
> out of business if they rely on web traffic (as most do)
>
> As listed on https://www.exploit-db.com/exploits/45217 the exploit
> requires
> not using the functions as constructors and calling apply directly passing
> in the same object 3 times to each of the methods.
>
> Exploit example:
>
> let object = {};
> Intl.NumberFormat.apply(object);
> Intl.DateTimeFormat.apply(object);
> Intl.DateTimeFormat.prototype.formatToParts.apply(object);
>
>
>
> The current signature definition is as follows:
>
> VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-1
> TDB: Engine:81-255,Target:3
> LOGICAL EXPRESSION: 0&1&2&3
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> formatToParts{WILDCARD_ANY_STRING(LENGTH<=25)}.apply
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> DateTimeFormat
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> NumberFormat
> * SUBSIG ID 3
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> .prototype
>
>
> The definition is incredibly broad in its scope
>
> 1. It matches on ".prototype" which virtually every single Javascript
> file in the world would match on. Recommendation remove or combine with
> formatToParts
> 2. It matches on any use of "DateTimeFormat" or "NumberFormat".
> Recommendation only match when "apply" and it is prefixed by "Intl" is
> called as this is required by the exploit.
> 3. It matched formatToParts followed by up to 25 characters later apply.
> Recommendation don't add a random 25 character gap as it's just security
> theatre and make it explicit on which object
>
>
>
> So here is my updated logical signature
>
> VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-2
> LOGICAL EXPRESSION: 0&1&2
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> Intl.DateTimeFormat.prototype.formatToParts.apply
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> Intl.DateTimeFormat.apply
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NOCASE
> +-> DECODED SUBSIGNATURE:
> Intl.NumberFormat.apply
>
>
> And here it is encoded:
>
>
> Html.Exploit.CVE_2018_8298-6602925-2;Engine:81-255,Target:3;0&1&2;496e746c2e4461746554696d65466f726d61742e70726f746f747970652e666f726d6174546f50617274732e6170706c790a::i;496e746c2e4461746554696d65466f726d61742e6170706c790a::i;496e746c2e4e756d626572466f726d61742e6170706c790a::i
>
>
>
> Please let me know if I got anything wrong.
>
> Kind regards
>
> Dan
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list