ClamAV 1.4.0-rc cdb LZH

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net

https://www.clamav.net/

GNU General Public License v2.0

4.27k stars 692 forks source link

ClamAV 1.4.0-rc cdb LZH #1266

Open Sanesecurity opened 4 months ago

Sanesecurity commented 4 months ago

Describe the bug

Created a simple cdb signature to test exe blocking in LZH:

test:CL_TYPE_LHA_LZH:*:(?i)\.exe$:*:*:*:*:*:*

Seems to work fine with the LZHs I've tested, however, the attached LZH doesn't fire on the above rule.

The LZH's that work are -lh5- and the one that doesn't is -lh0-

purchase order TH.exe

I've zipped the LZH with password: infected

bad.zip

Hopefully I'm missing something obvious ;)

micahsnyder commented 4 months ago

Thanks for the bug report.

I just triaged the issue and see the same as you.

For this file that because there is no compression on the embedded file. ClamAV has a signature to identify MSEXE files based on the PE file header contained at an any offset into the file: https://github.com/Cisco-Talos/clamav/blob/clamav-1.4.0-rc/libclamav/filetypes_int.h#L110

I see the LZH signature matching on this file, but then the embedded PE header signature also matches. And it seems to be prioritizing embedded PE file type detection over that of LZH file type detection, even though LZH was detected first.

I will have to investigate further to find the correct solution.

Sanesecurity commented 4 months ago

Make sense... also noted that the ones that work show the debug lines...

LibClamAV debug: CDBNAME:CL_TYPE_LHA_LZH:689528:RFQ ML - CONTG. 0992-19-PD.exe

whereas the lh0 one doesn't.

Thanks for confirming 👍