2
* Copyright (C) 2004-2005 trog@uncon.org
4
* This program is free software; you can redistribute it and/or modify
5
* it under the terms of the GNU General Public License as published by
6
* the Free Software Foundation; either version 2 of the License, or
7
* (at your option) any later version.
9
* This program is distributed in the hope that it will be useful,
10
* but WITHOUT ANY WARRANTY; without even the implied warranty of
11
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
* GNU General Public License for more details.
14
* You should have received a copy of the GNU General Public License
15
* along with this program; if not, write to the Free Software
16
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
20
#include "clamav-config.h"
22
#include <sys/types.h>
26
#include <netinet/in.h>
34
/* NOTE: Photoshop stores data in BIG ENDIAN format, this is the opposite
35
to virtually everything else */
37
#define special_endian_convert_16(v) be16_to_host(v)
38
#define special_endian_convert_32(v) be32_to_host(v)
40
int cli_check_mydoom_log(int desc, const char **virname)
42
int32_t record[8], check;
43
int i, retval=CL_VIRUS, j;
45
cli_dbgmsg("in cli_check_mydoom_log()\n");
47
/* Check upto the first five records in the file */
48
for (j=0 ; j<5 ; j++) {
49
if (cli_readn(desc, &record, 32) != 32) {
54
record[0] = ~ntohl(record[0]);
55
cli_dbgmsg("Mydoom: key: %lu\n", record[0]);
57
for (i=1 ; i<8; i++) {
58
record[i] = ntohl(record[i]) ^ record[0];
61
cli_dbgmsg("Mydoom: check: %lu\n", ~check);
62
if ((~check) != record[0]) {
69
} else if (retval==CL_VIRUS) {
71
*virname = "Worm.Mydoom.M.log";
77
static int jpeg_check_photoshop_8bim(int fd)
86
if (cli_readn(fd, bim, 4) != 4) {
87
cli_dbgmsg("read bim failed\n");
91
if (memcmp(bim, "8BIM", 4) != 0) {
93
cli_dbgmsg("missed 8bim: %s\n", bim);
97
if (cli_readn(fd, &id, 2) != 2) {
100
id = special_endian_convert_16(id);
101
cli_dbgmsg("ID: 0x%.4x\n", id);
102
if (cli_readn(fd, &nlength, 1) != 1) {
105
ntmp = nlength + ((((uint16_t)nlength)+1) & 0x01);
106
lseek(fd, ntmp, SEEK_CUR);
108
if (cli_readn(fd, &size, 4) != 4) {
111
size = special_endian_convert_32(size);
115
if ((size & 0x01) == 1) {
118
/* Is it a thumbnail image */
119
if ((id != 0x0409) && (id != 0x040c)) {
120
/* No - Seek past record */
121
lseek(fd, size, SEEK_CUR);
125
cli_dbgmsg("found thumbnail\n");
126
/* Check for thumbmail image */
127
offset = lseek(fd, 0, SEEK_CUR);
129
/* Jump past header */
130
lseek(fd, 28, SEEK_CUR);
132
retval = cli_check_jpeg_exploit(fd);
134
cli_dbgmsg("Exploit found in thumbnail\n", retval);
136
lseek(fd, offset+size, SEEK_SET);
141
static int jpeg_check_photoshop(int fd)
144
unsigned char buffer[14];
146
if (cli_readn(fd, buffer, 14) != 14) {
150
if (memcmp(buffer, "Photoshop 3.0", 14) != 0) {
154
cli_dbgmsg("Found Photoshop segment\n");
156
retval = jpeg_check_photoshop_8bim(fd);
157
} while (retval == 0);
165
int cli_check_jpeg_exploit(int fd)
167
unsigned char buffer[4];
172
cli_dbgmsg("in cli_check_jpeg_exploit()\n");
174
if (cli_readn(fd, buffer, 2) != 2) {
178
if ((buffer[0] != 0xff) || (buffer[1] != 0xd8)) {
183
if ((retval=cli_readn(fd, buffer, 4)) != 4) {
186
/* Check for multiple 0xFF values, we need to skip them */
187
if ((buffer[0] == 0xff) && (buffer[1] == 0xff)) {
188
lseek(fd, -3, SEEK_CUR);
192
if ((buffer[0] == 0xff) && (buffer[1] == 0xfe)) {
193
if (buffer[2] == 0x00) {
194
if ((buffer[3] == 0x00) || (buffer[3] == 0x01)) {
199
if (buffer[0] != 0xff) {
202
if (buffer[1] == 0xda) {
203
/* End of Image marker */
207
offset = ((unsigned int) buffer[2] << 8) + buffer[3];
212
offset += lseek(fd, 0, SEEK_CUR);
214
if (buffer[1] == 0xed) {
215
/* Possible Photoshop file */
216
if ((retval=jpeg_check_photoshop(fd)) != 0) {
221
if (lseek(fd, offset, SEEK_SET) != offset) {
227
static uint32_t riff_endian_convert_32(uint32_t value, int big_endian)
230
return be32_to_host(value);
232
return le32_to_host(value);
235
static int riff_read_chunk(int fd, int big_endian, int rec_level)
241
off_t offset, cur_offset;
243
if (rec_level > 1000) {
244
cli_dbgmsg("riff_read_chunk: recursion level exceeded\n");
248
length = sizeof(uint32_t);
249
if (cli_readn(fd, &chunk_id, length) != length) {
252
if (cli_readn(fd, &chunk_size, length) != length) {
255
chunk_size = riff_endian_convert_32(chunk_size, big_endian);
257
if (memcmp(&chunk_id, "RIFF", 4) == 0) {
259
} else if (memcmp(&chunk_id, "RIFX", 4) == 0) {
263
if ((memcmp(&chunk_id, "LIST", 4) == 0) ||
264
(memcmp(&chunk_id, "PROP", 4) == 0) ||
265
(memcmp(&chunk_id, "FORM", 4) == 0) ||
266
(memcmp(&chunk_id, "CAT ", 4) == 0)) {
267
if (cli_readn(fd, &list_type, sizeof(list_type)) != sizeof(list_type)) {
268
cli_dbgmsg("riff_read_chunk: read list type failed\n");
271
return riff_read_chunk(fd, big_endian, ++rec_level);
274
cur_offset = lseek(fd, 0, SEEK_CUR);
275
offset = cur_offset + chunk_size;
276
/* Check for odd alignment */
277
if ((offset & 0x01) == 1) {
280
if (offset < cur_offset) {
283
if (lseek(fd, offset, SEEK_SET) != offset) {
289
int cli_check_riff_exploit(int fd)
294
int length, big_endian, retval;
297
cli_dbgmsg("in cli_check_riff_exploit()\n");
299
length = sizeof(uint32_t);
300
if (cli_readn(fd, &chunk_id, length) != length) {
303
if (cli_readn(fd, &chunk_size, length) != length) {
306
if (cli_readn(fd, &form_type, length) != length) {
310
if (memcmp(&chunk_id, "RIFF", 4) == 0) {
312
} else if (memcmp(&chunk_id, "RIFX", 4) == 0) {
315
/* Not a RIFF file */
319
if (memcmp(&form_type, "ACON", 4) != 0) {
320
/* Only scan MS animated icon files */
321
/* There is a *lot* of broken software out there that produces bad RIFF files */
325
chunk_size = riff_endian_convert_32(chunk_size, big_endian);
328
retval = riff_read_chunk(fd, big_endian, 1);
329
} while (retval == 1);
331
offset = lseek(fd, 0, SEEK_CUR);
333
if (offset < (int64_t)chunk_size) {