[Community-sigs] Request update to signature for CVE-2018-8298

Tyler Montier tmontier at sourcefire.com
Fri Dec 13 15:20:58 EST 2019 

Dan,

Thanks for your suggestions for the signature.

I took your suggested signature and modified it slightly, including your
suggestion of making the signature case sensitive, and updating the target
type to work against multiple types of files.

Html.Exploit.CVE_2018_8298-6602925-2 should be available in the next CVD
release.

If that doesn't resolve your FP issues, please let me know and feel free to
provide a sample so that we can modify the signature again if necessary.

Cheers,
Tyler

On Fri, Dec 6, 2019 at 3:25 AM Dan Bodart <dan.bodart at triptease.com> wrote:

> One thing a realised later was that the patterns should probably not be
> case insensitive as that was one of the reasons our company script was
> being flagged as it matched on a random method that ended in same string
> but with different casing
>
> On Thu, Dec 5, 2019 at 8:52 PM Alain Zidouemba <azidouemba at sourcefire.com>
> wrote:
>
> > Dan:
> >
> > Thank you for taking the time to perform this analysis. An analyst is
> > reviewing your submission and we will get back to you as soon as
> possible.
> >
> > - Alain
> >
> > On Thu, Dec 5, 2019 at 5:52 AM Dan Bodart <dan.bodart at triptease.com>
> > wrote:
> >
> > > The current signature for CVE-2018-8298 is generating many false
> > positives
> > > for modern websites that use the modern Javascript internationalisation
> > > support under Intl.DateTimeFormat and Intl.NumberFormat. As Google Safe
> > > Browsing uses ClamAV this can cause a whole business to at risk of
> going
> > > out of business if they rely on web traffic (as most do)
> > >
> > > As listed on https://www.exploit-db.com/exploits/45217 the exploit
> > > requires
> > > not using the functions as constructors and calling apply directly
> > passing
> > > in the same object 3 times to each of the methods.
> > >
> > > Exploit example:
> > >
> > > let object = {};
> > > Intl.NumberFormat.apply(object);
> > > Intl.DateTimeFormat.apply(object);
> > > Intl.DateTimeFormat.prototype.formatToParts.apply(object);
> > >
> > >
> > >
> > > The current signature definition is as follows:
> > >
> > > VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-1
> > > TDB: Engine:81-255,Target:3
> > > LOGICAL EXPRESSION: 0&1&2&3
> > >  * SUBSIG ID 0
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > formatToParts{WILDCARD_ANY_STRING(LENGTH<=25)}.apply
> > >  * SUBSIG ID 1
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > DateTimeFormat
> > >  * SUBSIG ID 2
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > NumberFormat
> > >  * SUBSIG ID 3
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > .prototype
> > >
> > >
> > > The definition is incredibly broad in its scope
> > >
> > >    1. It matches on ".prototype" which virtually every single
> Javascript
> > >    file in the world would match on. Recommendation remove or combine
> > with
> > >    formatToParts
> > >    2. It matches on any use of "DateTimeFormat" or "NumberFormat".
> > >    Recommendation only match when "apply" and it is prefixed by "Intl"
> is
> > >    called as this is required by the exploit.
> > >    3. It matched formatToParts followed by up to 25 characters later
> > apply.
> > >    Recommendation don't add a random 25 character gap as it's just
> > security
> > >    theatre and make it explicit on which object
> > >
> > >
> > >
> > > So here is my updated logical signature
> > >
> > > VIRUS NAME: Html.Exploit.CVE_2018_8298-6602925-2
> > > LOGICAL EXPRESSION: 0&1&2
> > >  * SUBSIG ID 0
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > Intl.DateTimeFormat.prototype.formatToParts.apply
> > >  * SUBSIG ID 1
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > Intl.DateTimeFormat.apply
> > >  * SUBSIG ID 2
> > >  +-> OFFSET: ANY
> > >  +-> SIGMOD: NOCASE
> > >  +-> DECODED SUBSIGNATURE:
> > > Intl.NumberFormat.apply
> > >
> > >
> > > And here it is encoded:
> > >
> > >
> > >
> >
> Html.Exploit.CVE_2018_8298-6602925-2;Engine:81-255,Target:3;0&1&2;496e746c2e4461746554696d65466f726d61742e70726f746f747970652e666f726d6174546f50617274732e6170706c790a::i;496e746c2e4461746554696d65466f726d61742e6170706c790a::i;496e746c2e4e756d626572466f726d61742e6170706c790a::i
> > >
> > >
> > >
> > > Please let me know if I got anything wrong.
> > >
> > > Kind regards
> > >
> > > Dan
> > > _______________________________________________
> > >
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > https://lists.clamav.net/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> >
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
>
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list