[Community-sigs] Request update to signature for CVE-2018-8298

Dan Bodart dan.bodart at triptease.com
Fri Dec 6 03:25:00 EST 2019 

One thing a realised later was that the patterns should probably not be
case insensitive as that was one of the reasons our company script was
being flagged as it matched on a random method that ended in same string
but with different casing

On Thu, Dec 5, 2019 at 8:52 PM Alain Zidouemba <azidouemba at sourcefire.com>
wrote:

> Dan:
>
> Thank you for taking the time to perform this analysis. An analyst is
> reviewing your submission and we will get back to you as soon as possible.
>
> - Alain
>
> On Thu, Dec 5, 2019 at 5:52 AM Dan Bodart <dan.bodart at triptease.com>
> wrote:
>
> > The current signature for CVE-2018-8298 is generating many false
> positives
> > for modern websites that use the modern Javascript internationalisation
> > support under Intl.DateTimeFormat and Intl.NumberFormat. As Google Safe
> > Browsing uses ClamAV this can cause a whole business to at risk of going
> > out of business if they rely on web traffic (as most do)
> >
> > As listed on https://www.exploit-db.com/exploits/45217 the exploit
> > requires
> > not using the functions as constructors and calling apply directly
> passing
> > in the same object 3 times to each of the methods.
> >
> > Exploit example:
> >
> > let object = {};
> > Intl.NumberFormat.apply(object);
> > Intl.DateTimeFormat.apply(object);
> > Intl.DateTimeFormat.prototype.formatToParts.apply(object);
> >
> >
> >
> > The current signature definition is as follows:
> >
> > VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-1
> > TDB: Engine:81-255,Target:3
> > LOGICAL EXPRESSION: 0&1&2&3
> >  * SUBSIG ID 0
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > formatToParts{WILDCARD_ANY_STRING(LENGTH<=25)}.apply
> >  * SUBSIG ID 1
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > DateTimeFormat
> >  * SUBSIG ID 2
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > NumberFormat
> >  * SUBSIG ID 3
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > .prototype
> >
> >
> > The definition is incredibly broad in its scope
> >
> >    1. It matches on ".prototype" which virtually every single Javascript
> >    file in the world would match on. Recommendation remove or combine
> with
> >    formatToParts
> >    2. It matches on any use of "DateTimeFormat" or "NumberFormat".
> >    Recommendation only match when "apply" and it is prefixed by "Intl" is
> >    called as this is required by the exploit.
> >    3. It matched formatToParts followed by up to 25 characters later
> apply.
> >    Recommendation don't add a random 25 character gap as it's just
> security
> >    theatre and make it explicit on which object
> >
> >
> >
> > So here is my updated logical signature
> >
> > VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-2
> > LOGICAL EXPRESSION: 0&1&2
> >  * SUBSIG ID 0
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > Intl.DateTimeFormat.prototype.formatToParts.apply
> >  * SUBSIG ID 1
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > Intl.DateTimeFormat.apply
> >  * SUBSIG ID 2
> >  +-> OFFSET: ANY
> >  +-> SIGMOD: NOCASE
> >  +-> DECODED SUBSIGNATURE:
> > Intl.NumberFormat.apply
> >
> >
> > And here it is encoded:
> >
> >
> >
> Html.Exploit.CVE_2018_8298-6602925-2;Engine:81-255,Target:3;0&1&2;496e746c2e4461746554696d65466f726d61742e70726f746f747970652e666f726d6174546f50617274732e6170706c790a::i;496e746c2e4461746554696d65466f726d61742e6170706c790a::i;496e746c2e4e756d626572466f726d61742e6170706c790a::i
> >
> >
> >
> > Please let me know if I got anything wrong.
> >
> > Kind regards
> >
> > Dan
> > _______________________________________________
> >
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list