Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 18:33:16 +00:00
Code Issues Projects Releases Packages Wiki Activity
clamav/libclamav/ole2_extract.c

2658 lines
93 KiB
C
Raw Normal View History

OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
/*
Bump copyright dates for 2024
2024-01-12 17:03:59 -05:00
* Copyright (C) 2013-2024 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Updating and cleaning up copyright notices.
2019-01-25 10:15:50 -05:00
* Copyright (C) 2007-2013 Sourcefire, Inc.
Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.
2018-03-05 16:34:35 -05:00
*
* Authors: Trog
fuzz - 12528 - fixing left shift issue with OLE2 and utf16 to ascii decoding
2019-02-19 13:12:09 -05:00
*
Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.
2018-03-05 16:34:35 -05:00
* Summary: Extract component parts of OLE2 files (e.g. MS Office Documents).
fuzz - 12528 - fixing left shift issue with OLE2 and utf16 to ascii decoding
2019-02-19 13:12:09 -05:00
*
Eliminating AUTHORS file, and moving acknowledgements for various source code contributions to the file comment blocks for the individual files, as appropriate.
2018-03-05 16:34:35 -05:00
* Acknowledgements: Some ideas and algorithms were based upon OpenOffice and libgsf.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301, USA.
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
*/
Support for clamav-config.h git-svn: trunk@246
2004-02-06 13:46:08 +00:00
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
ole2: added json string sanitization ole2: added parsing errors for issues with codepage encoding
2014-10-16 18:38:29 -04:00
#include <ctype.h>
#include <stdlib.h>
#include <errno.h>
#include <conv.h>
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
#include <zlib.h>
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
#ifdef HAVE_UNISTD_H
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
#include <unistd.h>
apply w32 patches from NJH git-svn: trunk@2359
2006-10-09 15:23:50 +00:00
#endif
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
#include <stdbool.h>
ole2: added json string sanitization ole2: added parsing errors for issues with codepage encoding
2014-10-16 18:38:29 -04:00
Move all the crypto API to clamav.h
2014-07-01 19:38:01 -04:00
#include "clamav.h"
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
#include "others.h"
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
#include "hwp.h"
fix some compiler warnings, patch by Stefan Huehner <stefan*huehner.org> git-svn: trunk@1778
2005-12-10 18:50:26 +00:00
#include "ole2_extract.h"
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
#include "xlm_extract.h"
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
#include "scanners.h"
port pdf and ole2_extract to fmap
2009-08-25 01:21:15 +02:00
#include "fmap.h"
json: added json api source files, source moved from ole2 specifics
2014-04-22 14:22:39 -04:00
#include "json_api.h"
fixed a conditional header issue
2014-11-03 18:19:36 -05:00
#if HAVE_JSON
#include "msdoc.h"
#endif
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
#include "rijndael.h"
#include "ole2_encryption.h"
revert patch from bb#245 git-svn: trunk@3006
2007-04-02 17:49:01 +00:00
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
#ifdef DEBUG_OLE2_LIST
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
#define ole2_listmsg(...) cli_dbgmsg(__VA_ARGS__)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
#else
#define ole2_listmsg(...) ;
#endif
make endian conversion macros work when operand is negative number. git-svn: trunk@3355
2007-11-02 23:26:30 +00:00
#define ole2_endian_convert_16(v) le16_to_host((uint16_t)(v))
#define ole2_endian_convert_32(v) le32_to_host((uint32_t)(v))
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
#define ole2_endian_convert_64(v) le64_to_host((uint64_t)(v))
Tue Jan 27 14:04:51 GMT 2004 (trog) ----------------------------------- * libclamav: OLE2 unpacker - add big-endian support git-svn: trunk@214
2004-01-27 14:09:14 +00:00
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
#ifndef HAVE_ATTRIB_PACKED
#define __attribute__(x)
#endif
#ifdef HAVE_PRAGMA_PACK
#pragma pack(1)
#endif
add support for HP-UX 11.11 git-svn: trunk@2856
2007-02-24 03:30:27 +00:00
#ifdef HAVE_PRAGMA_PACK_HPPA
#pragma pack 1
#endif
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/05060311-bfce-4b12-874d-71fd4ce63aea
Retab for sanity
2013-11-25 21:48:18 +00:00
typedef struct ole2_header_tag {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
unsigned char magic[8]; /* should be: 0xd0cf11e0a1b11ae1 */
unsigned char clsid[16];
Retab for sanity
2013-11-25 21:48:18 +00:00
uint16_t minor_version __attribute__((packed));
uint16_t dll_version __attribute__((packed));
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
int16_t byte_order __attribute__((packed)); /* -2=intel */
Retab for sanity
2013-11-25 21:48:18 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint16_t log2_big_block_size __attribute__((packed)); /* usually 9 (2^9 = 512) */
uint32_t log2_small_block_size __attribute__((packed)); /* usually 6 (2^6 = 64) */
Retab for sanity
2013-11-25 21:48:18 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t reserved[2] __attribute__((packed));
Retab for sanity
2013-11-25 21:48:18 +00:00
int32_t bat_count __attribute__((packed));
int32_t prop_start __attribute__((packed));
uint32_t signature __attribute__((packed));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint32_t sbat_cutoff __attribute__((packed)); /* cutoff for files held
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
* in small blocks
* (4096) */
Retab for sanity
2013-11-25 21:48:18 +00:00
int32_t sbat_start __attribute__((packed));
int32_t sbat_block_count __attribute__((packed));
int32_t xbat_start __attribute__((packed));
int32_t xbat_count __attribute__((packed));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t bat_array[109] __attribute__((packed));
Retab for sanity
2013-11-25 21:48:18 +00:00
/*
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
* The following is not part of the ole2 header, but stuff we need in
* order to decode.
*
Fix typos (no functional changes)
2023-11-26 15:01:19 -08:00
* IMPORTANT: These must take account of the size of variables below here
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
* when calculating hdr_size to read the header.
*
* See the top of cli_ole2_extract().
Retab for sanity
2013-11-25 21:48:18 +00:00
*/
int32_t sbat_root_start __attribute__((packed));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint32_t max_block_no;
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
size_t m_length;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
bitset_t *bitset;
struct uniq *U;
fmap_t *map;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
bool has_vba;
bool has_xlm;
bool has_image;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
hwp5_header_t *is_hwp; // This value MUST be last in this structure,
// otherwise you will get short file reads.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} ole2_header_t;
Retab for sanity
2013-11-25 21:48:18 +00:00
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
/*
* DirectoryEntry
*
* https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/60fe8611-66c3-496b-b70d-a504c94c9ace
*/
Retab for sanity
2013-11-25 21:48:18 +00:00
typedef struct property_tag {
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
char name[64]; /* in unicode */
Retab for sanity
2013-11-25 21:48:18 +00:00
uint16_t name_size __attribute__((packed));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
unsigned char type; /* 1=dir 2=file 5=root */
unsigned char color; /* black or red */
uint32_t prev __attribute__((packed));
uint32_t next __attribute__((packed));
uint32_t child __attribute__((packed));
Retab for sanity
2013-11-25 21:48:18 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
unsigned char clsid[16];
Retab for sanity
2013-11-25 21:48:18 +00:00
uint32_t user_flags __attribute__((packed));
uint32_t create_lowdate __attribute__((packed));
uint32_t create_highdate __attribute__((packed));
uint32_t mod_lowdate __attribute__((packed));
uint32_t mod_highdate __attribute__((packed));
uint32_t start_block __attribute__((packed));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint32_t size __attribute__((packed));
unsigned char reserved[4];
} property_t;
Retab for sanity
2013-11-25 21:48:18 +00:00
doc/ppt: moved information stream parsing from vba source to ole2 source
2014-04-21 18:30:28 -04:00
struct ole2_list_node;
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
typedef struct ole2_list_node {
uint32_t Val;
struct ole2_list_node *Next;
doc/ppt: moved information stream parsing from vba source to ole2 source
2014-04-21 18:30:28 -04:00
} ole2_list_node_t;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
typedef struct ole2_list {
uint32_t Size;
ole2_list_node_t *Head;
doc/ppt: moved information stream parsing from vba source to ole2 source
2014-04-21 18:30:28 -04:00
} ole2_list_t;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int ole2_list_init(ole2_list_t *list);
int ole2_list_is_empty(ole2_list_t *list);
uint32_t ole2_list_size(ole2_list_t *list);
int ole2_list_push(ole2_list_t *list, uint32_t val);
uint32_t ole2_list_pop(ole2_list_t *list);
int ole2_list_delete(ole2_list_t *list);
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int ole2_list_init(ole2_list_t *list)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
list->Head = NULL;
list->Size = 0;
added wrappers to ole2_list_push() to handle returned value
2013-11-26 11:26:11 -05:00
return CL_SUCCESS;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int ole2_list_is_empty(ole2_list_t *list)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
return (list->Head == NULL);
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
uint32_t
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ole2_list_size(ole2_list_t *list)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
return (list->Size);
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int ole2_list_push(ole2_list_t *list, uint32_t val)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
{
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
ole2_list_node_t *new_node = NULL;
int status = CL_EMEM;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MALLOC_OR_GOTO_DONE(new_node, sizeof(ole2_list_node_t),
Optimization: replace limited allocation calls There are a large number of allocations for fix sized buffers using the `cli_malloc` and `cli_calloc` calls that check if the requested size is larger than our allocation threshold for allocations based on untrusted input. These allocations will *always* be higher than the threshold, so the extra stack frame and check for these calls is a waste of CPU. This commit replaces needless calls with A -> B: - cli_malloc -> malloc - cli_calloc -> calloc - CLI_MALLOC -> MALLOC - CLI_CALLOC -> CALLOC I also noticed that our MPOOL_MALLOC / MPOOL_CALLOC are not limited by the max-allocation threshold, when MMAP is found/enabled. But the alternative was set to cli_malloc / cli_calloc when disabled. I changed those as well. I didn't change the cli_realloc/2 calls because our version of realloc not only implements a threshold but also stabilizes the undefined behavior in realloc to protect against accidental double-free's. It may be worth implementing a cli_realloc that doesn't have the threshold built-in, however, so as to allow reallocaitons for things like buffers for loading signatures, which aren't subject to the same concern as allocations for scanning possible malware. There was one case in mbox.c where I changed MALLOC -> CLI_MALLOC, because it appears to be allocating based on untrusted input.
2022-05-08 14:59:09 -07:00
cli_dbgmsg("OLE2: could not allocate new node for worklist!\n"));
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
new_node->Val = val;
Retab for sanity
2013-11-25 21:48:18 +00:00
new_node->Next = list->Head;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
Retab for sanity
2013-11-25 21:48:18 +00:00
list->Head = new_node;
(list->Size)++;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
status = CL_SUCCESS;
done:
return status;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
uint32_t
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ole2_list_pop(ole2_list_t *list)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint32_t val;
Make Windows build happy. Style changes.
2013-11-25 21:35:51 +00:00
ole2_list_node_t *next;
Retab for sanity
2013-11-25 21:48:18 +00:00
if (ole2_list_is_empty(list)) {
cli_dbgmsg("OLE2: work list is empty and ole2_list_pop() called!\n");
return -1;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
val = list->Head->Val;
Make Windows build happy. Style changes.
2013-11-25 21:35:51 +00:00
next = list->Head->Next;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
Retab for sanity
2013-11-25 21:48:18 +00:00
free(list->Head);
list->Head = next;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
Retab for sanity
2013-11-25 21:48:18 +00:00
(list->Size)--;
return val;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int ole2_list_delete(ole2_list_t *list)
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
while (!ole2_list_is_empty(list))
ole2_list_pop(list);
added wrappers to ole2_list_push() to handle returned value
2013-11-26 11:26:11 -05:00
return CL_SUCCESS;
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
#ifdef HAVE_PRAGMA_PACK
#pragma pack()
#endif
add support for HP-UX 11.11 git-svn: trunk@2856
2007-02-24 03:30:27 +00:00
#ifdef HAVE_PRAGMA_PACK_HPPA
#pragma pack
#endif
Retab for sanity
2013-11-25 21:48:18 +00:00
static unsigned char magic_id[] = {0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1};
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
char *
cli_ole2_get_property_name2(const char *name, int size)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int i, j;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
char *newname = NULL;
Retab for sanity
2013-11-25 21:48:18 +00:00
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
if ((name[0] == 0 && name[1] == 0) || size <= 0 || size > 128) {
Retab for sanity
2013-11-25 21:48:18 +00:00
return NULL;
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(newname, size * 7,
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cli_errmsg("OLE2 [cli_ole2_get_property_name2]: Unable to allocate memory for newname: %u\n", size * 7));
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
j = 0;
/* size-2 to ignore trailing NULL */
for (i = 0; i < size - 2; i += 2) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
if ((!(name[i] & 0x80)) && isprint(name[i]) && name[i + 1] == 0) {
Retab for sanity
2013-11-25 21:48:18 +00:00
newname[j++] = tolower(name[i]);
} else {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
if (name[i] < 10 && name[i] >= 0 && name[i + 1] == 0) {
Retab for sanity
2013-11-25 21:48:18 +00:00
newname[j++] = '_';
newname[j++] = name[i] + '0';
} else {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
const uint16_t x = (((uint16_t)name[i]) << 8) | name[i + 1];
Retab for sanity
2013-11-25 21:48:18 +00:00
newname[j++] = '_';
newname[j++] = 'a' + ((x & 0xF));
newname[j++] = 'a' + ((x >> 4) & 0xF);
newname[j++] = 'a' + ((x >> 8) & 0xF);
newname[j++] = 'a' + ((x >> 16) & 0xF);
newname[j++] = 'a' + ((x >> 24) & 0xF);
}
newname[j++] = '_';
}
}
newname[j] = '\0';
if (strlen(newname) == 0) {
free(newname);
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
newname = NULL;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
done:
Retab for sanity
2013-11-25 21:48:18 +00:00
return newname;
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
* clamd/server-th.c: error handling * libclamav/ole2_extract.c: change struct pack code to support old versions of gcc - for the last time I hope. git-svn: trunk@390
2004-03-10 13:31:32 +00:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
static char *
Retab for sanity
2013-11-25 21:48:18 +00:00
get_property_name(char *name, int size)
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
const char *carray = "0123456789abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz._";
int csize = size >> 1;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
char *newname = NULL;
char *cname = NULL;
char *oname = name;
Retab for sanity
2013-11-25 21:48:18 +00:00
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
if (csize <= 0) {
Retab for sanity
2013-11-25 21:48:18 +00:00
return NULL;
}
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(newname, size,
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cli_errmsg("OLE2 [get_property_name]: Unable to allocate memory for newname %u\n", size));
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
cname = newname;
Retab for sanity
2013-11-25 21:48:18 +00:00
while (--csize) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
uint16_t lo, hi, u = cli_readint16(oname) - 0x3800;
Retab for sanity
2013-11-25 21:48:18 +00:00
oname += 2;
if (u > 0x1040) {
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(newname);
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
return cli_ole2_get_property_name2(name, size);
Retab for sanity
2013-11-25 21:48:18 +00:00
}
lo = u % 64;
u >>= 6;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hi = u % 64;
Retab for sanity
2013-11-25 21:48:18 +00:00
*cname++ = carray[lo];
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
if (csize != 1 || u != 64) {
Retab for sanity
2013-11-25 21:48:18 +00:00
*cname++ = carray[hi];
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
}
*cname = '\0';
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
done:
Retab for sanity
2013-11-25 21:48:18 +00:00
return newname;
Tue Feb 10 10:38:08 GMT 2004 (trog) ----------------------------------- * libclamav/ole2_extract.c: Improve error handling git-svn: trunk@263
2004-02-10 10:36:38 +00:00
}
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
Retab for sanity
2013-11-25 21:48:18 +00:00
static void
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
print_ole2_property(property_t *property)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
char spam[128], *buf;
Retab for sanity
2013-11-25 21:48:18 +00:00
if (property->name_size > 64) {
cli_dbgmsg("[err name len: %d]\n", property->name_size);
return;
}
buf = get_property_name(property->name, property->name_size);
snprintf(spam, sizeof(spam), "OLE2: %s ", buf ? buf : "<noname>");
spam[sizeof(spam) - 1] = '\0';
if (buf)
free(buf);
switch (property->type) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case 2:
strncat(spam, " [file] ", sizeof(spam) - 1 - strlen(spam));
break;
case 1:
strncat(spam, " [dir ] ", sizeof(spam) - 1 - strlen(spam));
break;
case 5:
strncat(spam, " [root] ", sizeof(spam) - 1 - strlen(spam));
break;
default:
strncat(spam, " [unkn] ", sizeof(spam) - 1 - strlen(spam));
Retab for sanity
2013-11-25 21:48:18 +00:00
}
spam[sizeof(spam) - 1] = '\0';
switch (property->color) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case 0:
strncat(spam, " r ", sizeof(spam) - 1 - strlen(spam));
break;
case 1:
strncat(spam, " b ", sizeof(spam) - 1 - strlen(spam));
break;
default:
strncat(spam, " u ", sizeof(spam) - 1 - strlen(spam));
Retab for sanity
2013-11-25 21:48:18 +00:00
}
spam[sizeof(spam) - 1] = '\0';
cli_dbgmsg("%s size:0x%.8x flags:0x%.8x\n", spam, property->size, property->user_flags);
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
static void
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
print_ole2_header(ole2_header_t *hdr)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
if (!hdr || !cli_debug_flag) {
return;
}
cli_dbgmsg("\n");
ole2: fixed debugging messages in printing ole2 header
2014-12-12 16:50:16 -05:00
cli_dbgmsg("Magic:\t\t\t0x%x%x%x%x%x%x%x%x\n",
hdr->magic[0], hdr->magic[1], hdr->magic[2], hdr->magic[3],
hdr->magic[4], hdr->magic[5], hdr->magic[6], hdr->magic[7]);
Retab for sanity
2013-11-25 21:48:18 +00:00
ole2: fixed debugging messages in printing ole2 header
2014-12-12 16:50:16 -05:00
cli_dbgmsg("CLSID:\t\t\t{%x%x%x%x-%x%x-%x%x-%x%x-%x%x%x%x%x%x}\n",
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hdr->clsid[0], hdr->clsid[1], hdr->clsid[2], hdr->clsid[3],
hdr->clsid[4], hdr->clsid[5], hdr->clsid[6], hdr->clsid[7],
hdr->clsid[8], hdr->clsid[9], hdr->clsid[10], hdr->clsid[11],
ole2: fixed debugging messages in printing ole2 header
2014-12-12 16:50:16 -05:00
hdr->clsid[12], hdr->clsid[13], hdr->clsid[14], hdr->clsid[15]);
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_dbgmsg("Minor version:\t\t0x%x\n", hdr->minor_version);
cli_dbgmsg("DLL version:\t\t0x%x\n", hdr->dll_version);
cli_dbgmsg("Byte Order:\t\t%d\n", hdr->byte_order);
ole2: fixed debugging messages in printing ole2 header
2014-12-12 16:50:16 -05:00
cli_dbgmsg("Big Block Size:\t%i\n", hdr->log2_big_block_size);
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_dbgmsg("Small Block Size:\t%i\n", hdr->log2_small_block_size);
cli_dbgmsg("BAT count:\t\t%d\n", hdr->bat_count);
cli_dbgmsg("Prop start:\t\t%d\n", hdr->prop_start);
cli_dbgmsg("SBAT cutoff:\t\t%d\n", hdr->sbat_cutoff);
cli_dbgmsg("SBat start:\t\t%d\n", hdr->sbat_start);
cli_dbgmsg("SBat block count:\t%d\n", hdr->sbat_block_count);
cli_dbgmsg("XBat start:\t\t%d\n", hdr->xbat_start);
ole2: fixed debugging messages in printing ole2 header
2014-12-12 16:50:16 -05:00
cli_dbgmsg("XBat block count:\t%d\n", hdr->xbat_count);
cli_dbgmsg("\n");
Retab for sanity
2013-11-25 21:48:18 +00:00
return;
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
static bool ole2_read_block(ole2_header_t *hdr, void *buff, size_t size, int32_t blockno)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
size_t offset, offend;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
const void *pblock;
Retab for sanity
2013-11-25 21:48:18 +00:00
if (blockno < 0) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
/* other methods: (blockno+1) * 512 or (blockno * block_size) + 512; */
Formatting touch-up
2020-01-03 15:53:29 -05:00
if (((uint64_t)blockno << hdr->log2_big_block_size) < (INT32_MAX - MAX(512, (uint64_t)1 << hdr->log2_big_block_size))) {
/* 512 is header size */
offset = (blockno << hdr->log2_big_block_size) + MAX(512, 1 << hdr->log2_big_block_size);
fuzz - 12528 - fixing left shift issue with OLE2 and utf16 to ascii decoding
2019-02-19 13:12:09 -05:00
offend = offset + size;
} else {
offset = INT32_MAX - size;
offend = INT32_MAX;
}
Retab for sanity
2013-11-25 21:48:18 +00:00
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
if ((offend == 0) || (offset >= hdr->m_length)) {
return false;
bb#11369 - allow for partial last block in ole2 ole2: general debugging and comment clean-up
2015-08-12 16:04:42 -04:00
} else if (offend > hdr->m_length) {
/* bb#11369 - ole2 files may not be a block multiple in size */
minor changes for solaris compatibility
2015-08-21 12:49:08 -04:00
memset(buff, 0, size);
bb#11369 - allow for partial last block in ole2 ole2: general debugging and comment clean-up
2015-08-12 16:04:42 -04:00
size = hdr->m_length - offset;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (!(pblock = fmap_need_off_once(hdr->map, offset, size))) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
memcpy(buff, pblock, size);
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return true;
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
static int32_t
ole2_get_next_bat_block(ole2_header_t *hdr, int32_t current_block)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t bat_array_index;
uint32_t bat[128];
Retab for sanity
2013-11-25 21:48:18 +00:00
if (current_block < 0) {
return -1;
}
bat_array_index = current_block / 128;
if (bat_array_index > hdr->bat_count) {
cli_dbgmsg("bat_array index error\n");
return -10;
}
if (!ole2_read_block(hdr, &bat, 512,
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ole2_endian_convert_32(hdr->bat_array[bat_array_index]))) {
Retab for sanity
2013-11-25 21:48:18 +00:00
return -1;
}
return ole2_endian_convert_32(bat[current_block - (bat_array_index * 128)]);
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
static int32_t
ole2_get_next_xbat_block(ole2_header_t *hdr, int32_t current_block)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t xbat_index, xbat_block_index, bat_index, bat_blockno;
uint32_t xbat[128], bat[128];
Retab for sanity
2013-11-25 21:48:18 +00:00
if (current_block < 0) {
return -1;
}
xbat_index = current_block / 128;
/*
* NB: The last entry in each XBAT points to the next XBAT block.
* This reduces the number of entries in each block by 1.
*/
xbat_block_index = (xbat_index - 109) / 127;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
bat_blockno = (xbat_index - 109) % 127;
Retab for sanity
2013-11-25 21:48:18 +00:00
bat_index = current_block % 128;
if (!ole2_read_block(hdr, &xbat, 512, hdr->xbat_start)) {
return -1;
}
/* Follow the chain of XBAT blocks */
while (xbat_block_index > 0) {
if (!ole2_read_block(hdr, &xbat, 512,
ole2_endian_convert_32(xbat[127]))) {
return -1;
}
xbat_block_index--;
}
if (!ole2_read_block(hdr, &bat, 512, ole2_endian_convert_32(xbat[bat_blockno]))) {
return -1;
}
return ole2_endian_convert_32(bat[bat_index]);
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
static int32_t
ole2_get_next_block_number(ole2_header_t *hdr, int32_t current_block)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
Retab for sanity
2013-11-25 21:48:18 +00:00
if (current_block < 0) {
return -1;
}
if ((current_block / 128) > 108) {
return ole2_get_next_xbat_block(hdr, current_block);
} else {
return ole2_get_next_bat_block(hdr, current_block);
}
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
static int32_t
ole2_get_next_sbat_block(ole2_header_t *hdr, int32_t current_block)
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t iter, current_bat_block;
uint32_t sbat[128];
Retab for sanity
2013-11-25 21:48:18 +00:00
if (current_block < 0) {
return -1;
}
current_bat_block = hdr->sbat_start;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
iter = current_block / 128;
Retab for sanity
2013-11-25 21:48:18 +00:00
while (iter > 0) {
current_bat_block = ole2_get_next_block_number(hdr, current_bat_block);
iter--;
}
if (!ole2_read_block(hdr, &sbat, 512, current_bat_block)) {
return -1;
}
return ole2_endian_convert_32(sbat[current_block % 128]);
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
}
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
/* Retrieve the block containing the data for the given sbat index */
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
static bool ole2_get_sbat_data_block(ole2_header_t *hdr, void *buff, int32_t sbat_index)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int32_t block_count, current_block;
Retab for sanity
2013-11-25 21:48:18 +00:00
if (sbat_index < 0) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (hdr->sbat_root_start < 0) {
cli_dbgmsg("No root start block\n");
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
block_count = sbat_index / (1 << (hdr->log2_big_block_size - hdr->log2_small_block_size));
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = hdr->sbat_root_start;
while (block_count > 0) {
current_block = ole2_get_next_block_number(hdr, current_block);
block_count--;
}
/*
* current_block now contains the block number of the sbat array
* containing the entry for the required small block
*/
return (ole2_read_block(hdr, buff, 1 << hdr->log2_big_block_size, current_block));
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/**
* @brief File handler for use when walking ole2 property trees.
*
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
* @param hdr The ole2 header metadata
* @param prop The property
* @param dir (optional) directory to write temp files to.
* @param ctx The scan context
* @param ole2_data (optional) Context needed by the handler
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
* @return cl_error_t
*/
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
typedef cl_error_t ole2_walk_property_tree_file_handler(ole2_header_t *hdr,
property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx);
static cl_error_t handler_writefile(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx);
static cl_error_t handler_enum(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx);
static cl_error_t handler_otf_encrypted(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx);
static cl_error_t handler_otf(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/**
* @brief Walk an ole2 property tree, calling the handler for each file found
*
Inline doxygen documentation fixup Fixup input output params to be anotated with [in,out], not [in/out]. Note: skipped some other incorrectly annodated [out] params that are already staged to be fixed in a different PR.
2021-07-14 15:33:52 -07:00
* @param hdr The ole2 header metadata (an ole2-specific context struct)
* @param dir (optional) directory to write temp files to, passed to the handler.
* @param prop_index Index of the property being walked, to be recorded with a pointer to the root node in an ole2 node list.
* @param handler The file handler to call when a file is found.
* @param rec_level The recursion level. Max is 100.
* @param[in,out] file_count A running count of the total # of files. Max is 100000.
* @param ctx The scan context
* @param[in,out] scansize A running sum of the file sizes processed.
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
* @return int
*/
static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t prop_index,
ole2_walk_property_tree_file_handler handler,
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
unsigned int rec_level, unsigned int *file_count,
cli_ctx *ctx, unsigned long *scansize, void *handler_ctx)
maintain internal OLE2 directory structure when unpacking OLE2 archive files (not yet activated) git-svn: trunk@506
2004-04-19 12:41:03 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
property_t prop_block[4];
int32_t idx, current_block, i, curindex;
char *dirname;
ole2_list_t node_list;
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
cl_error_t ret;
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
#if HAVE_JSON
Fix a few more compiler warnings
2014-07-11 09:42:42 -04:00
char *name;
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
int toval = 0;
#endif
* libclamav/ole2_extract.c: Fix Solaris endian issue. (bb#89) * libclamav/unrar/unrar.c: Fix FD leak in error path (bb#133, thanks acab) git-svn: trunk@2504
2006-11-14 13:52:39 +00:00
Retab for sanity
2013-11-25 21:48:18 +00:00
ole2_listmsg("ole2_walk_property_tree() called\n");
ole2_list_init(&node_list);
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
Retab for sanity
2013-11-25 21:48:18 +00:00
ole2_listmsg("rec_level: %d\n", rec_level);
ole2_listmsg("file_count: %d\n", *file_count);
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if ((rec_level > 100) || (*file_count > 100000)) {
return CL_SUCCESS;
}
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
if (ctx && ctx->engine->max_recursion_level && (rec_level > ctx->engine->max_recursion_level)) {
// Note: engine->max_recursion_level is re-purposed here out of convenience.
// ole2 recursion does not leverage the ctx->recursion_stack stack.
cli_dbgmsg("OLE2: Recursion limit reached (max: %d)\n", ctx->engine->max_recursion_level);
Strong indicator precedence over PUA / Heuristic detections Signatures that start with "PUA.", "Heuristics.", or "BC.Heuristics." are perceived to be less serious, or more likely to have false positives, than other signatures that we would think of us as "strong indicators". At present, only a subset of "Heuristics." signatures, such as those added by the phishing module, are added as "potentially unwanted". Unless you're using heuristic-precedence mode, these "potentially unwanted" indicators are recorded but not reported unless no other signature alerts. This behavior should apply to all signatures that start with "PUA." and "Heuristics.". We already do a string match comparison on the signature name to apply that behavior to bytecode matches that start with "BC.Heuristics.". I moved that string comparison logic used for "BC.Heuristics." into the main `cl_append_virus()` function and extended it to cover the other two cases. I also replaced all hardcoded calls to append "Heuristics." signatures to append using the `cli_append_potentially_unwanted()` function, so we can skip the string compare in these cases. That function will of course append them as strong indicators if heuristic-precedence mode is enabled.
2022-08-19 16:21:42 -07:00
cli_append_potentially_unwanted_if_heur_exceedsmax(ctx, "Heuristics.Limits.Exceeded.MaxRecursion");
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
return CL_EMAXREC;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
// push the 'root' node for the level onto the local list
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((ret = ole2_list_push(&node_list, prop_index)) != CL_SUCCESS) {
added wrappers to ole2_list_push() to handle returned value
2013-11-26 11:26:11 -05:00
ole2_list_delete(&node_list);
return ret;
}
Retab for sanity
2013-11-25 21:48:18 +00:00
while (!ole2_list_is_empty(&node_list)) {
ole2_listmsg("within working loop, worklist size: %d\n", ole2_list_size(&node_list));
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
#if HAVE_JSON
if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) {
ole2_list_delete(&node_list);
return CL_ETIMEOUT;
}
#endif
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = hdr->prop_start;
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
// pop off a node to work on
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
curindex = ole2_list_pop(&node_list);
Retab for sanity
2013-11-25 21:48:18 +00:00
ole2_listmsg("current index: %d\n", curindex);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((curindex < 0) || (curindex > (int32_t)hdr->max_block_no)) {
Retab for sanity
2013-11-25 21:48:18 +00:00
continue;
}
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
// read in the sector referenced by the current index
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
idx = curindex / 4;
Retab for sanity
2013-11-25 21:48:18 +00:00
for (i = 0; i < idx; i++) {
current_block = ole2_get_next_block_number(hdr, current_block);
if (current_block < 0) {
allowed continued ole2 tree transversal when a non-fatal error occurred
2013-11-27 13:42:08 -05:00
continue;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
idx = curindex % 4;
if (!ole2_read_block(hdr, prop_block, 512, current_block)) {
allowed continued ole2 tree transversal when a non-fatal error occurred
2013-11-27 13:42:08 -05:00
continue;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (prop_block[idx].type <= 0) {
allowed continued ole2 tree transversal when a non-fatal error occurred
2013-11-27 13:42:08 -05:00
continue;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
ole2_listmsg("reading prop block\n");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
prop_block[idx].name_size = ole2_endian_convert_16(prop_block[idx].name_size);
prop_block[idx].prev = ole2_endian_convert_32(prop_block[idx].prev);
prop_block[idx].next = ole2_endian_convert_32(prop_block[idx].next);
prop_block[idx].child = ole2_endian_convert_32(prop_block[idx].child);
prop_block[idx].user_flags = ole2_endian_convert_32(prop_block[idx].user_flags);
prop_block[idx].create_lowdate = ole2_endian_convert_32(prop_block[idx].create_lowdate);
Retab for sanity
2013-11-25 21:48:18 +00:00
prop_block[idx].create_highdate = ole2_endian_convert_32(prop_block[idx].create_highdate);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
prop_block[idx].mod_lowdate = ole2_endian_convert_32(prop_block[idx].mod_lowdate);
prop_block[idx].mod_highdate = ole2_endian_convert_32(prop_block[idx].mod_highdate);
prop_block[idx].start_block = ole2_endian_convert_32(prop_block[idx].start_block);
prop_block[idx].size = ole2_endian_convert_32(prop_block[idx].size);
Retab for sanity
2013-11-25 21:48:18 +00:00
ole2_listmsg("printing ole2 property\n");
if (dir)
print_ole2_property(&prop_block[idx]);
ole2_listmsg("checking bitset\n");
/* Check we aren't in a loop */
if (cli_bitset_test(hdr->bitset, (unsigned long)curindex)) {
/* Loop in property tree detected */
cli_dbgmsg("OLE2: Property tree loop detected at index %d\n", curindex);
ole2_list_delete(&node_list);
return CL_BREAK;
}
ole2_listmsg("setting bitset\n");
if (!cli_bitset_set(hdr->bitset, (unsigned long)curindex)) {
allowed continued ole2 tree transversal when a non-fatal error occurred
2013-11-27 13:42:08 -05:00
continue;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
ole2_listmsg("prev: %d next %d child %d\n", prop_block[idx].prev, prop_block[idx].next, prop_block[idx].child);
ole2_listmsg("node type: %d\n", prop_block[idx].type);
switch (prop_block[idx].type) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
case 5: /* Root Entry */
ole2_listmsg("root node\n");
if ((curindex != 0) || (rec_level != 0) ||
Retab for sanity
2013-11-25 21:48:18 +00:00
(*file_count != 0)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
/* Can only have RootEntry as the top */
cli_dbgmsg("ERROR: illegal Root Entry\n");
continue;
}
hdr->sbat_root_start = prop_block[idx].start_block;
if ((int)(prop_block[idx].child) != -1) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = ole2_walk_property_tree(hdr, dir, prop_block[idx].child, handler, rec_level + 1, file_count, ctx, scansize, handler_ctx);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != CL_SUCCESS) {
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
ole2_list_delete(&node_list);
return ret;
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
if ((int)(prop_block[idx].prev) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].prev)) != CL_SUCCESS) {
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
ole2_list_delete(&node_list);
return ret;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((int)(prop_block[idx].next) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].next)) != CL_SUCCESS) {
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
ole2_list_delete(&node_list);
return ret;
}
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
break;
case 2: /* File */
ole2_listmsg("file node\n");
Fix invalid zip & macho scan recursion If zip content is detected within a file by way of the embedded file type recognition scan (in `scanraw()`), a raw scan of that "ZIPSFX" will detect all subsequent zip entries as new ZIPSFX's. Though they aren't actually scanned later, it shows up in the metadata JSON. This commit prevents embedded file type detection for ZIPSFX like we already have for ZIP. Semi-related, the mach-o unibin parser presently allows scanning of FAT partitions anywhere in the fmap, to include the very beginning of the fmap. This would be an infinite loop, scanning the same file over and over again, were it not for the scan recursion limit. With the recursion limit, it's ok, but still bad behavior. This commit prevents scanning FAT files from the mach-o unibin parser where the offset is less than the end of the headers. Also fixed an unsigned integer comparison in the OLE2 parser that might overflow.
2021-06-17 11:30:23 -07:00
if (ctx && ctx->engine->maxfiles && ((*file_count > ctx->engine->maxfiles) || (ctx->scannedfiles > ctx->engine->maxfiles - *file_count))) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
cli_dbgmsg("OLE2: files limit reached (max: %u)\n", ctx->engine->maxfiles);
Strong indicator precedence over PUA / Heuristic detections Signatures that start with "PUA.", "Heuristics.", or "BC.Heuristics." are perceived to be less serious, or more likely to have false positives, than other signatures that we would think of us as "strong indicators". At present, only a subset of "Heuristics." signatures, such as those added by the phishing module, are added as "potentially unwanted". Unless you're using heuristic-precedence mode, these "potentially unwanted" indicators are recorded but not reported unless no other signature alerts. This behavior should apply to all signatures that start with "PUA." and "Heuristics.". We already do a string match comparison on the signature name to apply that behavior to bytecode matches that start with "BC.Heuristics.". I moved that string comparison logic used for "BC.Heuristics." into the main `cl_append_virus()` function and extended it to cover the other two cases. I also replaced all hardcoded calls to append "Heuristics." signatures to append using the `cli_append_potentially_unwanted()` function, so we can skip the string compare in these cases. That function will of course append them as strong indicators if heuristic-precedence mode is enabled.
2022-08-19 16:21:42 -07:00
cli_append_potentially_unwanted_if_heur_exceedsmax(ctx, "Heuristics.Limits.Exceeded.MaxFiles");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ole2_list_delete(&node_list);
return CL_EMAXFILES;
}
if (!ctx || !(ctx->engine->maxfilesize) || prop_block[idx].size <= ctx->engine->maxfilesize || prop_block[idx].size <= *scansize) {
(*file_count)++;
*scansize -= prop_block[idx].size;
ole2_listmsg("running file handler\n");
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = handler(hdr, &prop_block[idx], dir, ctx, handler_ctx);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != CL_SUCCESS) {
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
ole2_listmsg("file handler returned %d\n", ret);
ole2_list_delete(&node_list);
return ret;
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else {
cli_dbgmsg("OLE2: filesize exceeded\n");
}
if ((int)(prop_block[idx].child) != -1) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = ole2_walk_property_tree(hdr, dir, prop_block[idx].child, handler, rec_level, file_count, ctx, scansize, handler_ctx);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != CL_SUCCESS) {
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
ole2_list_delete(&node_list);
return ret;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
}
if ((int)(prop_block[idx].prev) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].prev)) != CL_SUCCESS) {
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
ole2_list_delete(&node_list);
return ret;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((int)(prop_block[idx].next) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].next)) != CL_SUCCESS) {
ole2_list_delete(&node_list);
return ret;
}
}
break;
case 1: /* Directory */
ole2_listmsg("directory node\n");
if (dir) {
ooxml: added detection of custom properties ooxml/ole2: added detection of digital signatures
2014-05-19 18:18:20 -04:00
#if HAVE_JSON
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) {
if (!json_object_object_get_ex(ctx->wrkproperty, "DigitalSignatures", NULL)) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop_block[idx].name, prop_block[idx].name_size);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (name) {
if (!strcmp(name, "_xmlsignatures") || !strcmp(name, "_signatures")) {
cli_jsonbool(ctx->wrkproperty, "HasDigitalSignatures", 1);
}
free(name);
ole2: fixed a code path issue
2014-05-20 13:00:23 -04:00
}
ooxml: added detection of custom properties ooxml/ole2: added detection of digital signatures
2014-05-19 18:18:20 -04:00
}
}
#endif
Rename clamav memory allocation functions We have some special functions to wrap malloc, calloc, and realloc to make sure we don't allocate more than some limit, similar to the max-filesize and max-scansize limits. Our wrappers are really only needed when allocating memory for scans based on untrusted user input, where a scan file could have bytes that claim you need to allocate some ridiculous amount of memory. Right now they're named: - cli_malloc - cli_calloc - cli_realloc - cli_realloc2 ... and these names do not convey their purpose This commit renames them to: - cli_max_malloc - cli_max_calloc - cli_max_realloc - cli_max_realloc2 The realloc ones also have an additional feature in that they will not free your pointer if you try to realloc to 0 bytes. Freeing the memory is undefined by the C spec, and only done with some realloc implementations, so this stabilizes on the behavior of not doing that, which should prevent accidental double-free's. So for the case where you may want to realloc and do not need to have a maximum, this commit adds the following functions: - cli_safer_realloc - cli_safer_realloc2 These are used for the MPOOL_REALLOC and MPOOL_REALLOC2 macros when MPOOL is disabled (e.g. because mmap-support is not found), so as to match the behavior in the mpool_realloc/2 functions that do not make use of the allocation-limit.
2022-05-09 14:28:34 -07:00
dirname = (char *)cli_max_malloc(strlen(dir) + 8);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!dirname) {
ole2_listmsg("OLE2: malloc failed for dirname\n");
ole2_list_delete(&node_list);
return CL_EMEM;
}
snprintf(dirname, strlen(dir) + 8, "%s" PATHSEP "%.6d", dir, curindex);
if (mkdir(dirname, 0700) != 0) {
ole2_listmsg("OLE2: mkdir failed for directory %s\n", dirname);
free(dirname);
ole2_list_delete(&node_list);
return CL_BREAK;
}
cli_dbgmsg("OLE2 dir entry: %s\n", dirname);
} else
dirname = NULL;
if ((int)(prop_block[idx].child) != -1) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = ole2_walk_property_tree(hdr, dirname, prop_block[idx].child, handler, rec_level + 1, file_count, ctx, scansize, handler_ctx);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (ret != CL_SUCCESS) {
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
ole2_list_delete(&node_list);
if (dirname) {
free(dirname);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
return ret;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
bb#9558: limited number of stack frames used in ole2 tree walking
2013-11-25 13:24:28 -05:00
}
fuzz - 12122 - Fix to memory leak by properly free'ing the dirname variable in OLE2 parser.
2019-01-22 13:15:25 -05:00
if (dirname) {
free(dirname);
dirname = NULL;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if ((int)(prop_block[idx].prev) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].prev)) != CL_SUCCESS) {
ole2_list_delete(&node_list);
return ret;
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
}
if ((int)(prop_block[idx].next) != -1) {
if ((ret = ole2_list_push(&node_list, prop_block[idx].next)) != CL_SUCCESS) {
bb#9598 - fixed allmatch option within the ole2 tree walking to find all matches
2013-12-02 15:40:22 -05:00
ole2_list_delete(&node_list);
return ret;
}
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
break;
default:
cli_dbgmsg("ERROR: unknown OLE2 entry type: %d\n", prop_block[idx].type);
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
ole2_listmsg("loop ended: %d %d\n", ole2_list_size(&node_list), ole2_list_is_empty(&node_list));
}
ole2_list_delete(&node_list);
OLE2: Remove allmatch checks + minor code cleanup
2022-08-23 16:31:22 -07:00
return CL_SUCCESS;
maintain internal OLE2 directory structure when unpacking OLE2 archive files (not yet activated) git-svn: trunk@506
2004-04-19 12:41:03 +00:00
}
fix for win32 build and style edits
2013-11-25 14:28:56 -05:00
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
/* Write file Handler - write the contents of the entry to a file */
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
static cl_error_t handler_writefile(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cl_error_t ret = CL_BREAK;
char newname[1024];
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
char *name = NULL;
unsigned char *buff = NULL;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
int32_t current_block = 0;
size_t len = 0, offset = 0;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
int ofd = -1;
char *hash = NULL;
bitset_t *blk_bitset = NULL;
uint32_t cnt = 0;
Retab for sanity
2013-11-25 21:48:18 +00:00
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
UNUSEDPARAM(ctx);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
UNUSEDPARAM(handler_ctx);
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if (prop->type != 2) {
/* Not a file */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_SUCCESS;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if (prop->name_size > 64) {
cli_dbgmsg("OLE2 [handler_writefile]: property name too long: %d\n", prop->name_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_SUCCESS;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
fuzz - 12166 - Fix for 4-byte out of bounds write wherein the an invalid struct pointer member variable is set to zero. The fix adds bounds checking to the Uniq storage 'add' function as well as error code checks. Included a lot of new inline documentation.
2019-01-22 14:05:05 -05:00
if (name) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
cli_dbgmsg("Storing %s in uniq\n", name);
fuzz - 12166 - Fix for 4-byte out of bounds write wherein the an invalid struct pointer member variable is set to zero. The fix adds bounds checking to the Uniq storage 'add' function as well as error code checks. Included a lot of new inline documentation.
2019-01-22 14:05:05 -05:00
if (CL_SUCCESS != uniq_add(hdr->U, name, strlen(name), &hash, &cnt)) {
cli_dbgmsg("OLE2 [handler_writefile]: too many property names added to uniq store.\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
fuzz - 12166 - Fix for 4-byte out of bounds write wherein the an invalid struct pointer member variable is set to zero. The fix adds bounds checking to the Uniq storage 'add' function as well as error code checks. Included a lot of new inline documentation.
2019-01-22 14:05:05 -05:00
}
} else {
if (CL_SUCCESS != uniq_add(hdr->U, NULL, 0, &hash, &cnt)) {
cli_dbgmsg("OLE2 [handler_writefile]: too many property names added to uniq store.\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
fuzz - 12166 - Fix for 4-byte out of bounds write wherein the an invalid struct pointer member variable is set to zero. The fix adds bounds checking to the Uniq storage 'add' function as well as error code checks. Included a lot of new inline documentation.
2019-01-22 14:05:05 -05:00
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
snprintf(newname, sizeof(newname), "%s" PATHSEP "%s_%u", dir, hash, cnt);
newname[sizeof(newname) - 1] = '\0';
cli_dbgmsg("OLE2 [handler_writefile]: Dumping '%s' to '%s'\n", name ? name : "<empty>", newname);
Change permission for new tmp files from RWX to RW
2020-03-30 20:42:44 -04:00
ofd = open(newname, O_WRONLY | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR);
Retab for sanity
2013-11-25 21:48:18 +00:00
if (ofd < 0) {
cli_errmsg("OLE2 [handler_writefile]: failed to create file: %s\n", newname);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_SUCCESS;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = prop->start_block;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
len = prop->size;
Retab for sanity
2013-11-25 21:48:18 +00:00
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(buff, 1 << hdr->log2_big_block_size,
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cli_errmsg("OLE2 [handler_writefile]: Unable to allocate memory for buff: %u\n", 1 << hdr->log2_big_block_size);
ret = CL_EMEM);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
blk_bitset = cli_bitset_init();
if (!blk_bitset) {
cli_errmsg("OLE2 [handler_writefile]: init bitset failed\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
while ((current_block >= 0) && (len > 0)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (current_block > (int32_t)hdr->max_block_no) {
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_dbgmsg("OLE2 [handler_writefile]: Max block number for file size exceeded: %d\n", current_block);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
/* Check we aren't in a loop */
if (cli_bitset_test(blk_bitset, (unsigned long)current_block)) {
/* Loop in block list */
cli_dbgmsg("OLE2 [handler_writefile]: Block list loop detected\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if (!cli_bitset_set(blk_bitset, (unsigned long)current_block)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (prop->size < (int64_t)hdr->sbat_cutoff) {
Retab for sanity
2013-11-25 21:48:18 +00:00
/* Small block file */
if (!ole2_get_sbat_data_block(hdr, buff, current_block)) {
cli_dbgmsg("OLE2 [handler_writefile]: ole2_get_sbat_data_block failed\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
/* buff now contains the block with N small blocks in it */
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
offset = (((size_t)1) << hdr->log2_small_block_size) * (((size_t)current_block) % (((size_t)1) << (hdr->log2_big_block_size - hdr->log2_small_block_size)));
Retab for sanity
2013-11-25 21:48:18 +00:00
if (cli_writen(ofd, &buff[offset], MIN(len, 1 << hdr->log2_small_block_size)) != MIN(len, 1 << hdr->log2_small_block_size)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
len -= MIN(len, 1 << hdr->log2_small_block_size);
current_block = ole2_get_next_sbat_block(hdr, current_block);
} else {
/* Big block file */
if (!ole2_read_block(hdr, buff, 1 << hdr->log2_big_block_size, current_block)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
break;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
if (cli_writen(ofd, buff, MIN(len, (1 << hdr->log2_big_block_size))) != MIN(len, (1 << hdr->log2_big_block_size))) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_EWRITE;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = ole2_get_next_block_number(hdr, current_block);
len -= MIN(len, (1 << hdr->log2_big_block_size));
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/*
* Unlike w/ handler_otf(), the ole2 summary JSON will be recorded
* when we re-ingest the files we wrote above when we scan the directory.
OLE2: doc summary, emb. ole10 scans skipped if XLM macro found Also resolved the following issue: If XLM (and now images) are found when parsing an ole2 files the following other embedded content may not be processed: - document summary metadata - embedded ole10 files - ole2 temp subdirectories (i.e. recursion) The logic to process the above ole2 extracted temp files was present in the function which processes extracted VBA. When we added support for extracting XLM macros, processing these other data was lost. Really, the above need to be processed if any temp files were saved. I fixed this by restructuring the features to extract any type of temp file into separate functions per type of temp file. I then wrappped those in an ole2 temp dir scanning function. OLE2 temp directory scanning is recursive if there are subdirectories.
2021-07-03 12:06:52 -07:00
* See cli_ole2_tempdir_scan_vba()
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
*/
ret = CL_SUCCESS;
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(name);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (-1 != ofd) {
close(ofd);
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(buff);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (NULL != blk_bitset) {
cli_bitset_free(blk_bitset);
}
return ret;
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
}
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
enum biff_parser_states {
BIFF_PARSER_INITIAL,
BIFF_PARSER_EXPECTING_2ND_TAG_BYTE,
BIFF_PARSER_EXPECTING_1ST_LENGTH_BYTE,
BIFF_PARSER_EXPECTING_2ND_LENGTH_BYTE,
BIFF_PARSER_NAME_RECORD,
BIFF_PARSER_BOUNDSHEET_RECORD,
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
BIFF_PARSER_MSODRAWINGGROUP_RECORD,
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
BIFF_PARSER_DATA,
};
struct biff_parser_state {
enum biff_parser_states state;
uint16_t opcode;
uint16_t length;
uint16_t data_offset;
uint8_t tmp;
};
/**
* Scan through a buffer of BIFF records and find PARSERNAME, BOUNDSHEET records (Which indicate XLM macros).
* BIFF streams follow the format OOLLDDDDDDDDD..., where OO is the opcode (little endian 16 bit value),
Update copyright dates for 2021 Also fixes up clang-format.
2021-03-19 15:12:26 -07:00
* LL is the data length (little endian 16 bit value), followed by LL bytes of data. Records are defined in
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
* the MICROSOFT OFFICE EXCEL 97-2007 BINARY FILE FORMAT SPECIFICATION.
*
* \param state The parser state.
* \param buff The buffer.
* \param len The buffer's size in bytes.
* \param ctx The ClamAV context for emitting JSON about the document.
* \returns true if a macro has been found, false otherwise.
*/
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
static cl_error_t scan_biff_for_xlm_macros_and_images(
struct biff_parser_state *state,
unsigned char *buff,
size_t len,
cli_ctx *ctx,
bool *found_macro,
bool *found_image)
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
{
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cl_error_t status = CL_EFORMAT;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
size_t i;
for (i = 0; i < len; ++i) {
switch (state->state) {
case BIFF_PARSER_INITIAL:
state->opcode = buff[i];
state->state = BIFF_PARSER_EXPECTING_2ND_TAG_BYTE;
break;
case BIFF_PARSER_EXPECTING_2ND_TAG_BYTE:
state->opcode |= buff[i] << 8;
state->state = BIFF_PARSER_EXPECTING_1ST_LENGTH_BYTE;
break;
case BIFF_PARSER_EXPECTING_1ST_LENGTH_BYTE:
state->length = buff[i];
state->state = BIFF_PARSER_EXPECTING_2ND_LENGTH_BYTE;
break;
case BIFF_PARSER_EXPECTING_2ND_LENGTH_BYTE:
state->length |= buff[i] << 8;
state->data_offset = 0;
switch (state->opcode) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
case OPC_BOUNDSHEET:
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
state->state = BIFF_PARSER_BOUNDSHEET_RECORD;
break;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
case OPC_NAME:
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
state->state = BIFF_PARSER_NAME_RECORD;
break;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
case OPC_MSODRAWINGGROUP:
state->state = BIFF_PARSER_MSODRAWINGGROUP_RECORD;
break;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
default:
state->state = BIFF_PARSER_DATA;
break;
}
if (state->length == 0) {
state->state = BIFF_PARSER_INITIAL;
}
break;
default:
switch (state->state) {
case BIFF_PARSER_NAME_RECORD:
Fix Excel XLM formula parser infinite loop The XLM formula parser failed to account for string records that claim to be longer than the formula data. This fix skips over the invalid string records. Also fixed an unrelated XLM parsing bug where BIFF name records weren't handled on builds lacking the json-c library, resulting in verbose error output. See https://bugzilla.clamav.net/show_bug.cgi?id=12639
2021-04-06 10:02:59 -07:00
#if HAVE_JSON
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
if (state->data_offset == 0) {
state->tmp = buff[i] & 0x20;
} else if ((state->data_offset == 14 || state->data_offset == 15) && state->tmp) {
if (buff[i] == 1 || buff[i] == 2) {
if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) {
json_object *indicators = cli_jsonarray(ctx->wrkproperty, "MacroIndicators");
if (indicators) {
cli_jsonstr(indicators, NULL, "autorun");
} else {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Failed to add \"autorun\" entry to MacroIndicators JSON array\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
}
}
if (buff[i] != 0) {
state->tmp = 0;
}
}
#endif
Fix Excel XLM formula parser infinite loop The XLM formula parser failed to account for string records that claim to be longer than the formula data. This fix skips over the invalid string records. Also fixed an unrelated XLM parsing bug where BIFF name records weren't handled on builds lacking the json-c library, resulting in verbose error output. See https://bugzilla.clamav.net/show_bug.cgi?id=12639
2021-04-06 10:02:59 -07:00
break;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
case BIFF_PARSER_BOUNDSHEET_RECORD:
if (state->data_offset == 4) {
state->tmp = buff[i];
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
} else if (state->data_offset == 5 && buff[i] == 1) { // Excel 4.0 macro sheet
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Found XLM macro sheet\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
#if HAVE_JSON
if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) {
cli_jsonbool(ctx->wrkproperty, "HasMacros", 1);
json_object *macro_languages = cli_jsonarray(ctx->wrkproperty, "MacroLanguages");
if (macro_languages) {
cli_jsonstr(macro_languages, NULL, "XLM");
} else {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Failed to add \"XLM\" entry to MacroLanguages JSON array\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
if (state->tmp == 1 || state->tmp == 2) {
json_object *indicators = cli_jsonarray(ctx->wrkproperty, "MacroIndicators");
if (indicators) {
cli_jsonstr(indicators, NULL, "hidden");
} else {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Failed to add \"hidden\" entry to MacroIndicators JSON array\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
}
}
#endif
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
*found_macro = true;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
break;
case BIFF_PARSER_DATA:
break;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
case BIFF_PARSER_MSODRAWINGGROUP_RECORD:
// Embedded image found
if (true != *found_image) {
*found_image = true;
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Found image in sheet\n");
}
break;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
default:
Add explicit log level parameter to application logging API * Added loglevel parameter to logg() * Fix logg and mprintf internals with new loglevels * Update all logg calls to set loglevel * Update all mprintf calls to set loglevel * Fix hidden logg calls * Executed clam-format
2022-02-16 00:13:55 +01:00
// Should never arrive here
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("[scan_biff_for_xlm_macros_and_images] Unexpected state value %d\n", (int)state->state);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
break;
}
state->data_offset += 1;
if (state->data_offset >= state->length) {
state->state = BIFF_PARSER_INITIAL;
}
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
status = CL_SUCCESS;
return status;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
/**
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
* @brief Scan for XLM (Excel 4.0) macro sheets and images in an OLE2 Workbook stream.
*
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
* The stream should be encoded with <= BIFF8.
Fix typos (no functional changes)
2023-11-26 15:01:19 -08:00
* The found_macro and found_image out-params should be checked even if an error occurred.
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
*
* @param hdr
* @param prop
* @param ctx
* @param found_macro [out] If any macros were found
* @param found_image [out] If any images were found
* @return cl_error_t CL_EPARSE if an error was encountered
* @return cl_error_t CL_EMEM if a memory issue was encountered.
* @return cl_error_t CL_SUCCESS if no errors were encountered.
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
*/
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
static cl_error_t scan_for_xlm_macros_and_images(ole2_header_t *hdr, property_t *prop, cli_ctx *ctx, bool *found_macro, bool *found_image)
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
{
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cl_error_t status = CL_EPARSE;
unsigned char *buff = NULL;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
int32_t current_block = 0;
size_t len = 0, offset = 0;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
bitset_t *blk_bitset = NULL;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
struct biff_parser_state state = {0};
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
if (prop->type != 2) {
/* Not a file */
goto done;
}
Initialize the whole biff_parser_state struct to 0, to avoid uninitialized value warnings.
2021-07-21 13:55:15 -07:00
memset(&state, 0, sizeof(state));
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
state.state = BIFF_PARSER_INITIAL;
current_block = prop->start_block;
len = prop->size;
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(buff, 1 << hdr->log2_big_block_size,
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cli_errmsg("OLE2 [scan_for_xlm_macros_and_images]: Unable to allocate memory for buff: %u\n", 1 << hdr->log2_big_block_size);
status = CL_EMEM);
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
blk_bitset = cli_bitset_init();
if (!blk_bitset) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_errmsg("OLE2 [scan_for_xlm_macros_and_images]: init bitset failed\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
goto done;
}
while ((current_block >= 0) && (len > 0)) {
if (current_block > (int32_t)hdr->max_block_no) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [scan_for_xlm_macros_and_images]: Max block number for file size exceeded: %d\n", current_block);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
goto done;
}
/* Check we aren't in a loop */
if (cli_bitset_test(blk_bitset, (unsigned long)current_block)) {
/* Loop in block list */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [scan_for_xlm_macros_and_images]: Block list loop detected\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
goto done;
}
if (!cli_bitset_set(blk_bitset, (unsigned long)current_block)) {
goto done;
}
if (prop->size < (int64_t)hdr->sbat_cutoff) {
/* Small block file */
if (!ole2_get_sbat_data_block(hdr, buff, current_block)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [scan_for_xlm_macros_and_images]: ole2_get_sbat_data_block failed\n");
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
goto done;
}
/* buff now contains the block with N small blocks in it */
offset = (1 << hdr->log2_small_block_size) * (current_block % (1 << (hdr->log2_big_block_size - hdr->log2_small_block_size)));
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
(void)scan_biff_for_xlm_macros_and_images(&state, &buff[offset], MIN(len, 1 << hdr->log2_small_block_size), ctx, found_macro, found_image);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
len -= MIN(len, 1 << hdr->log2_small_block_size);
current_block = ole2_get_next_sbat_block(hdr, current_block);
} else {
/* Big block file */
if (!ole2_read_block(hdr, buff, 1 << hdr->log2_big_block_size, current_block)) {
goto done;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
(void)scan_biff_for_xlm_macros_and_images(&state, buff, MIN(len, (1 << hdr->log2_big_block_size)), ctx, found_macro, found_image);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
current_block = ole2_get_next_block_number(hdr, current_block);
len -= MIN(len, (1 << hdr->log2_big_block_size));
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
status = CL_SUCCESS;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(buff);
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
if (blk_bitset) {
cli_bitset_free(blk_bitset);
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
return status;
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/**
* @brief enum file Handler - checks for VBA presence
*
* @param hdr
* @param prop
* @param dir
* @param ctx the scan context
* @return cl_error_t
*/
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
static cl_error_t handler_enum(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx)
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
{
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cl_error_t status = CL_EREAD;
char *name = NULL;
unsigned char *hwp_check = NULL;
int32_t offset = 0;
ole2: fixed issue with multi-propset streams ole2: json output now includes array of stream names doc/xls/ppt: reclassify file based on stream and not SummaryInfo
2014-04-28 17:01:57 -04:00
#if HAVE_JSON
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
json_object *arrobj = NULL;
json_object *strmobj = NULL;
ole2: fixed issue with multi-propset streams ole2: json output now includes array of stream names doc/xls/ppt: reclassify file based on stream and not SummaryInfo
2014-04-28 17:01:57 -04:00
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
UNUSEDPARAM(handler_ctx);
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
ole2/ooxml: fixed various build issues with libjson disabled ole2: cleaned up macro usage
2014-05-19 16:45:52 -04:00
if (name) {
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
2018-07-20 22:28:48 -04:00
if (SCAN_COLLECT_METADATA && ctx->wrkproperty != NULL) {
ole2/ooxml: various changes and fixes to json parsing
2014-06-25 15:55:46 -04:00
arrobj = cli_jsonarray(ctx->wrkproperty, "Streams");
if (NULL == arrobj) {
cli_warnmsg("ole2: no memory for streams list or streams is not an array\n");
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} else {
ole2/ooxml: various changes and fixes to json parsing
2014-06-25 15:55:46 -04:00
strmobj = json_object_new_string(name);
json_object_array_add(arrobj, strmobj);
}
ole2/ooxml: fixed various build issues with libjson disabled ole2: cleaned up macro usage
2014-05-19 16:45:52 -04:00
if (!strcmp(name, "powerpoint document")) {
cli_jsonstr(ctx->wrkproperty, "FileType", "CL_TYPE_MSPPT");
}
if (!strcmp(name, "worddocument")) {
ole2: modify reclass names to match existing filetypes
2014-05-23 12:37:50 -04:00
cli_jsonstr(ctx->wrkproperty, "FileType", "CL_TYPE_MSWORD");
ole2/ooxml: fixed various build issues with libjson disabled ole2: cleaned up macro usage
2014-05-19 16:45:52 -04:00
}
if (!strcmp(name, "workbook")) {
ole2: modify reclass names to match existing filetypes
2014-05-23 12:37:50 -04:00
cli_jsonstr(ctx->wrkproperty, "FileType", "CL_TYPE_MSXL");
ole2/ooxml: fixed various build issues with libjson disabled ole2: cleaned up macro usage
2014-05-19 16:45:52 -04:00
}
ole2: fixed issue with multi-propset streams ole2: json output now includes array of stream names doc/xls/ppt: reclassify file based on stream and not SummaryInfo
2014-04-28 17:01:57 -04:00
}
ooxml/ole2: code review changes
2014-07-01 13:21:44 -04:00
}
Fix a few more compiler warnings
2014-07-11 09:42:42 -04:00
#else
UNUSEDPARAM(ctx);
ooxml/ole2: code review changes
2014-07-01 13:21:44 -04:00
#endif
Fix a few more compiler warnings
2014-07-11 09:42:42 -04:00
UNUSEDPARAM(dir);
ooxml/ole2: code review changes
2014-07-01 13:21:44 -04:00
if (!hdr->has_vba) {
if (!name)
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
ooxml/ole2: code review changes
2014-07-01 13:21:44 -04:00
if (name) {
Retab for sanity
2013-11-25 21:48:18 +00:00
if (!strcmp(name, "_vba_project") || !strcmp(name, "powerpoint document") || !strcmp(name, "worddocument") || !strcmp(name, "_1_ole10native"))
hdr->has_vba = 1;
}
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
}
ole2: fixed issue with str management
2014-04-28 18:28:27 -04:00
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
/*
* if we can find a root entry fileheader, it may be a HWP file
* identify the HWP signature "HWP Document File" at offset 0 stream
*/
if (!hdr->is_hwp) {
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
if (!name) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
}
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
if (name) {
if (!strcmp(name, "fileheader")) {
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_CALLOC_OR_GOTO_DONE(hwp_check, 1, 1 << hdr->log2_big_block_size, status = CL_EMEM);
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
/* reading safety checks; do-while used for breaks */
do {
minor commit, removing checks against unsigned integers being less than zero, also testing pre-commit hook
2017-08-10 10:39:53 -04:00
if (prop->size == 0)
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
break;
eliminating warnings, mostly with regards to signed vs unsigned comparisons, some of which could have been functional bugs if negative values were used (for offsets, etc). cleaned up a couple of macros and cleaned up some ifdefs.
2017-08-15 16:50:01 -04:00
if (prop->start_block > hdr->max_block_no)
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
break;
/* read the header block (~256 bytes) */
offset = 0;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (prop->size < (int64_t)hdr->sbat_cutoff) {
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
if (!ole2_get_sbat_data_block(hdr, hwp_check, prop->start_block)) {
break;
}
offset = (1 << hdr->log2_small_block_size) *
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
(prop->start_block % (1 << (hdr->log2_big_block_size - hdr->log2_small_block_size)));
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
/* reading safety */
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
if (offset + 40 >= 1 << hdr->log2_big_block_size)
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
break;
} else {
if (!ole2_read_block(hdr, hwp_check, 1 << hdr->log2_big_block_size, prop->start_block)) {
break;
}
}
/* compare against HWP signature; we could add the 15 padding NULLs too */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (!memcmp(hwp_check + offset, "HWP Document File", 17)) {
add HWP5 filetype tracking to preclassification
2015-12-09 11:43:35 -05:00
hwp5_header_t *hwp_new;
#if HAVE_JSON
cli_jsonstr(ctx->wrkproperty, "FileType", "CL_TYPE_HWP5");
#endif
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_CALLOC_OR_GOTO_DONE(hwp_new, 1, sizeof(hwp5_header_t), status = CL_EMEM);
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
HWP: remove unused signature field from JSON We don't actually use the Signature (magic bytes) field, which is pre-verified anyways when checking if the document is HWP.
2021-08-13 10:15:15 -07:00
/*
* Copy the header information into our header struct.
*/
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
memcpy(hwp_new, hwp_check + offset, sizeof(hwp5_header_t));
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
hwp_new->version = ole2_endian_convert_32(hwp_new->version);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hwp_new->flags = ole2_endian_convert_32(hwp_new->flags);
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
hdr->is_hwp = hwp_new;
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} while (0);
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
}
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/* If we've already found a macro and an image, we can skip this initial check.
This scan step is to save a little time so we don't have to fully parse it
later if never find anything.. */
if (!hdr->has_xlm || !hdr->has_image) {
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
if (!name) {
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
}
if (name && (strcmp(name, "workbook") == 0 || strcmp(name, "book") == 0)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
(void)scan_for_xlm_macros_and_images(hdr, prop, ctx, &hdr->has_xlm, &hdr->has_image);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
}
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
status = CL_SUCCESS;
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(name);
CLI_FREE_AND_SET_NULL(hwp_check);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
return status;
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
}
ole2: added method for checking MSO and branching to MSO scanner
2015-04-22 05:26:57 -04:00
static int
likely_mso_stream(int fd)
{
off_t fsize;
unsigned char check[2];
fsize = lseek(fd, 0, SEEK_END);
if (fsize == -1) {
cli_dbgmsg("likely_mso_stream: call to lseek() failed\n");
return 0;
} else if (fsize < 6) {
return 0;
}
if (lseek(fd, 4, SEEK_SET) == -1) {
cli_dbgmsg("likely_mso_stream: call to lseek() failed\n");
return 0;
}
if (cli_readn(fd, check, 2) != 2) {
cli_dbgmsg("likely_mso_stream: reading from fd failed\n");
return 0;
}
if (check[0] == 0x78 && check[1] == 0x9C)
return 1;
return 0;
}
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
static cl_error_t scan_mso_stream(int fd, cli_ctx *ctx)
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
{
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
int zret, ofd;
cl_error_t ret = CL_SUCCESS;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
fmap_t *input;
off_t off_in = 0;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
size_t count, outsize = 0;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
z_stream zstrm;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
char *tmpname;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
uint32_t prefix;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
unsigned char inbuf[FILEBUFF], outbuf[FILEBUFF];
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
/* fmap the input file for easier manipulation */
if (fd < 0) {
cli_dbgmsg("scan_mso_stream: Invalid file descriptor argument\n");
return CL_ENULLARG;
} else {
STATBUF statbuf;
if (FSTAT(fd, &statbuf) == -1) {
cli_dbgmsg("scan_mso_stream: Can't stat file descriptor\n");
return CL_ESTAT;
}
Record names of extracted files A way is needed to record scanned file names for two purposes: 1. File names (and extensions) must be stored in the json metadata properties recorded when using the --gen-json clamscan option. Future work may use this to compare file extensions with detected file types. 2. File names are useful when interpretting tmp directory output when using the --leave-temps option. This commit enables file name retention for later use by storing file names in the fmap header structure, if a file name exists. To store the names in fmaps, an optional name argument has been added to any internal scan API's that create fmaps and every call to these APIs has been modified to pass a file name or NULL if a file name is not required. The zip and gpt parsers required some modification to record file names. The NSIS and XAR parsers fail to collect file names at all and will require future work to support file name extraction. Also: - Added recursive extraction to the tmp directory when the --leave-temps option is enabled. When not enabled, the tmp directory structure remains flat so as to prevent the likelihood of exceeding MAX_PATH. The current tmp directory is stored in the scan context. - Made the cli_scanfile() internal API non-static and added it to scanners.h so it would be accessible outside of scanners.c in order to remove code duplication within libmspack.c. - Added function comments to scanners.h and matcher.h - Converted a TDB-type macros and LSIG-type macros to enums for improved type safey. - Converted more return status variables from `int` to `cl_error_t` for improved type safety, and corrected ooxml file typing functions so they use `cli_file_t` exclusively rather than mixing types with `cl_error_t`. - Restructured the magic_scandesc() function to use goto's for error handling and removed the early_ret_from_magicscan() macro and magic_scandesc_cleanup() function. This makes the code easier to read and made it easier to add the recursive tmp directory cleanup to magic_scandesc(). - Corrected zip, egg, rar filename extraction issues. - Removed use of extra sub-directory layer for zip, egg, and rar file extraction. For Zip, this also involved changing the extracted filenames to be randomly generated rather than using the "zip.###" file name scheme.
2020-03-19 21:23:54 -04:00
input = fmap(fd, 0, statbuf.st_size, NULL);
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
if (!input) {
cli_dbgmsg("scan_mso_stream: Failed to get fmap for input stream\n");
return CL_EMAP;
}
}
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
/* reserve tempfile for output and scanning */
Record names of extracted files A way is needed to record scanned file names for two purposes: 1. File names (and extensions) must be stored in the json metadata properties recorded when using the --gen-json clamscan option. Future work may use this to compare file extensions with detected file types. 2. File names are useful when interpretting tmp directory output when using the --leave-temps option. This commit enables file name retention for later use by storing file names in the fmap header structure, if a file name exists. To store the names in fmaps, an optional name argument has been added to any internal scan API's that create fmaps and every call to these APIs has been modified to pass a file name or NULL if a file name is not required. The zip and gpt parsers required some modification to record file names. The NSIS and XAR parsers fail to collect file names at all and will require future work to support file name extraction. Also: - Added recursive extraction to the tmp directory when the --leave-temps option is enabled. When not enabled, the tmp directory structure remains flat so as to prevent the likelihood of exceeding MAX_PATH. The current tmp directory is stored in the scan context. - Made the cli_scanfile() internal API non-static and added it to scanners.h so it would be accessible outside of scanners.c in order to remove code duplication within libmspack.c. - Added function comments to scanners.h and matcher.h - Converted a TDB-type macros and LSIG-type macros to enums for improved type safey. - Converted more return status variables from `int` to `cl_error_t` for improved type safety, and corrected ooxml file typing functions so they use `cli_file_t` exclusively rather than mixing types with `cl_error_t`. - Restructured the magic_scandesc() function to use goto's for error handling and removed the early_ret_from_magicscan() macro and magic_scandesc_cleanup() function. This makes the code easier to read and made it easier to add the recursive tmp directory cleanup to magic_scandesc(). - Corrected zip, egg, rar filename extraction issues. - Removed use of extra sub-directory layer for zip, egg, and rar file extraction. For Zip, this also involved changing the extracted filenames to be randomly generated rather than using the "zip.###" file name scheme.
2020-03-19 21:23:54 -04:00
if ((ret = cli_gentempfd(ctx->sub_tmpdir, &tmpname, &ofd)) != CL_SUCCESS) {
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
cli_errmsg("scan_mso_stream: Can't generate temporary file\n");
funmap(input);
return ret;
}
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
/* initialize zlib inflation stream */
memset(&zstrm, 0, sizeof(zstrm));
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
zstrm.zalloc = Z_NULL;
zstrm.zfree = Z_NULL;
zstrm.opaque = Z_NULL;
zstrm.next_in = inbuf;
zstrm.next_out = outbuf;
zstrm.avail_in = 0;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
zstrm.avail_out = FILEBUFF;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
zret = inflateInit(&zstrm);
if (zret != Z_OK) {
cli_dbgmsg("scan_mso_stream: Can't initialize zlib inflation stream\n");
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
ret = CL_EUNPACK;
goto mso_end;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
}
/* extract 32-bit prefix */
if (fmap_readn(input, &prefix, off_in, sizeof(prefix)) != sizeof(prefix)) {
cli_dbgmsg("scan_mso_stream: Can't extract 4-byte prefix\n");
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
ret = CL_EREAD;
goto mso_end;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
}
bb11456 - corrects mso stream prefix value for big endian processors. Patch by Jim Morris.
2015-12-21 17:39:47 -05:00
/* RFC1952 says numbers are stored with least significant byte first */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
prefix = le32_to_host(prefix);
bb11456 - corrects mso stream prefix value for big endian processors. Patch by Jim Morris.
2015-12-21 17:39:47 -05:00
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
off_in += sizeof(uint32_t);
cli_dbgmsg("scan_mso_stream: stream prefix = %08x(%d)\n", prefix, prefix);
/* inflation loop */
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
do {
if (zstrm.avail_in == 0) {
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
size_t bytes_read;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
zstrm.next_in = inbuf;
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
bytes_read = fmap_readn(input, inbuf, off_in, FILEBUFF);
if (bytes_read == (size_t)-1) {
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
cli_errmsg("scan_mso_stream: Error reading MSO file\n");
ret = CL_EUNPACK;
goto mso_end;
}
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
if (bytes_read == 0)
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
break;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
zstrm.avail_in = bytes_read;
off_in += bytes_read;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
zret = inflate(&zstrm, Z_SYNC_FLUSH);
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
count = FILEBUFF - zstrm.avail_out;
if (count) {
if (cli_checklimits("MSO", ctx, outsize + count, 0, 0) != CL_SUCCESS)
break;
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
if (cli_writen(ofd, outbuf, count) != count) {
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
cli_errmsg("scan_mso_stream: Can't write to file %s\n", tmpname);
ret = CL_EWRITE;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
goto mso_end;
}
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
outsize += count;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
zstrm.next_out = outbuf;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
zstrm.avail_out = FILEBUFF;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
} while (zret == Z_OK);
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
/* post inflation checks */
if (zret != Z_STREAM_END && zret != Z_OK) {
if (outsize == 0) {
cli_infomsg(ctx, "scan_mso_stream: Error decompressing MSO file. No data decompressed.\n");
ret = CL_EUNPACK;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
goto mso_end;
}
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
cli_infomsg(ctx, "scan_mso_stream: Error decompressing MSO file. Scanning what was decompressed.\n");
}
bb#11369 - allow for partial last block in ole2 ole2: general debugging and comment clean-up
2015-08-12 16:04:42 -04:00
cli_dbgmsg("scan_mso_stream: Decompressed %llu bytes to %s\n", (long long unsigned)outsize, tmpname);
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
if (outsize != prefix) {
cli_warnmsg("scan_mso_stream: declared prefix != inflated stream size, %llu != %llu\n",
(long long unsigned)prefix, (long long unsigned)outsize);
} else {
cli_dbgmsg("scan_mso_stream: declared prefix == inflated stream size, %llu == %llu\n",
(long long unsigned)prefix, (long long unsigned)outsize);
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
}
/* scanning inflated stream */
Code quality: Refactor layer attributes as scan parameter The current implementation sets a "next layer attributes" flag field in the scan context. This may introduce bugs if accidentally not cleared during error handling, causing that attribute to be applied to a different layer than intended. This commit resolves that by adding an attribute flag to the major internal scan functions and removing the "next layer attributes" from the scan context. This attributes flag shares the same flag fields as the attributes flag in the new file inspection callback and the flags are defined in `clamav.h`.
2022-03-09 22:26:40 -08:00
ret = cli_magic_scan_desc(ofd, tmpname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
/* clean-up */
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
mso_end:
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
zret = inflateEnd(&zstrm);
if (zret != Z_OK)
ret = CL_EUNPACK;
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
close(ofd);
cid 12153 - simplify null ctx check in mso scanning
2015-08-17 18:07:16 -04:00
if (!ctx->engine->keeptmp)
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
if (cli_unlink(tmpname))
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
ret = CL_EUNLINK;
ole2[mso]: code cleanup and optimization
2015-04-29 17:18:34 -04:00
free(tmpname);
funmap(input);
ole2: added MSO inflation and scanning (detached)
2015-04-22 04:34:02 -04:00
return ret;
}
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
static cl_error_t handler_otf(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx)
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
{
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
cl_error_t ret = CL_BREAK;
char *tempfile = NULL;
char *name = NULL;
unsigned char *buff = NULL;
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
int32_t current_block = 0;
size_t len = 0, offset = 0;
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
int ofd = -1;
int is_mso = 0;
bitset_t *blk_bitset = NULL;
Retab for sanity
2013-11-25 21:48:18 +00:00
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
UNUSEDPARAM(dir);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
UNUSEDPARAM(handler_ctx);
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if (prop->type != 2) {
/* Not a file */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_SUCCESS;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
print_ole2_property(prop);
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
if (!(tempfile = cli_gentemp(ctx->sub_tmpdir))) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_EMEM;
goto done;
}
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
Change permission for new tmp files from RWX to RW
2020-03-30 20:42:44 -04:00
if ((ofd = open(tempfile, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR)) < 0) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [handler_otf]: Can't create file %s\n", tempfile);
ret = CL_ECREAT;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = prop->start_block;
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
len = prop->size;
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
ole2: added debug message handler_otf stream -> tempfile
2016-06-28 11:59:48 -04:00
if (cli_debug_flag) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (!name) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
ole2: added debug message handler_otf stream -> tempfile
2016-06-28 11:59:48 -04:00
cli_dbgmsg("OLE2 [handler_otf]: Dumping '%s' to '%s'\n", name, tempfile);
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(buff, 1 << hdr->log2_big_block_size, ret = CL_EMEM);
Retab for sanity
2013-11-25 21:48:18 +00:00
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
blk_bitset = cli_bitset_init();
Retab for sanity
2013-11-25 21:48:18 +00:00
if (!blk_bitset) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_errmsg("OLE2 [handler_otf]: init bitset failed\n");
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
while ((current_block >= 0) && (len > 0)) {
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (current_block > (int32_t)hdr->max_block_no) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [handler_otf]: Max block number for file size exceeded: %d\n", current_block);
Retab for sanity
2013-11-25 21:48:18 +00:00
break;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
/* Check we aren't in a loop */
if (cli_bitset_test(blk_bitset, (unsigned long)current_block)) {
/* Loop in block list */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [handler_otf]: Block list loop detected\n");
Retab for sanity
2013-11-25 21:48:18 +00:00
break;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
if (!cli_bitset_set(blk_bitset, (unsigned long)current_block)) {
break;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
if (prop->size < (int64_t)hdr->sbat_cutoff) {
Retab for sanity
2013-11-25 21:48:18 +00:00
/* Small block file */
if (!ole2_get_sbat_data_block(hdr, buff, current_block)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cli_dbgmsg("OLE2 [handler_otf]: ole2_get_sbat_data_block failed\n");
Retab for sanity
2013-11-25 21:48:18 +00:00
break;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
/* buff now contains the block with N small blocks in it */
offset = (1 << hdr->log2_small_block_size) * (current_block % (1 << (hdr->log2_big_block_size - hdr->log2_small_block_size)));
if (cli_writen(ofd, &buff[offset], MIN(len, 1 << hdr->log2_small_block_size)) != MIN(len, 1 << hdr->log2_small_block_size)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
len -= MIN(len, 1 << hdr->log2_small_block_size);
current_block = ole2_get_next_sbat_block(hdr, current_block);
} else {
/* Big block file */
if (!ole2_read_block(hdr, buff, 1 << hdr->log2_big_block_size, current_block)) {
break;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Argument and return types for fmap_readn(), cli_writen(), cli_readn() converted to use size_t instead of int.
2019-05-04 15:54:54 -04:00
if (cli_writen(ofd, buff, MIN(len, (1 << hdr->log2_big_block_size))) != MIN(len, (1 << hdr->log2_big_block_size))) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_EWRITE;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
Retab for sanity
2013-11-25 21:48:18 +00:00
current_block = ole2_get_next_block_number(hdr, current_block);
len -= MIN(len, (1 << hdr->log2_big_block_size));
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
}
}
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
/* defragmenting of ole2 stream complete */
ole2: added method for checking MSO and branching to MSO scanner
2015-04-22 05:26:57 -04:00
is_mso = likely_mso_stream(ofd);
Retab for sanity
2013-11-25 21:48:18 +00:00
if (lseek(ofd, 0, SEEK_SET) == -1) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_ESEEK;
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
xls: added OTF SummaryInfo and DocumentSummary streams parsing support
2014-04-21 18:40:32 -04:00
ole2: check for json outputting option
2014-04-23 18:15:29 -04:00
#if HAVE_JSON
/* JSON Output Summary Information */
Restructured scan options flags from a single bitflag field to a structure containing multiple bitflag fields. This also required adding a new function to the bytecode API to get scan options a la carte, and modifying the existing function to hand back scan options in the old/deprecated uint32_t bitflag format. Re-generated bytecode iface header files. Updated libclamav documentation detailing new scan options structure. Renamed references to 'algorithmic' detection to 'heuristic' detection. Renaming references to 'properties' to 'collect metadata'. Renamed references to 'scan all' to 'scan all match'. Renamed a couple of 'Hueristic.*' signature names as 'Heuristics.*' signatures (plural) to match majority of other heuristics.
2018-07-20 22:28:48 -04:00
if (SCAN_COLLECT_METADATA && (ctx->properties != NULL)) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (!name) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
ole2: fixed an issue with extremely long names
2014-06-04 11:00:43 -04:00
if (name) {
if (!strncmp(name, "_5_summaryinformation", 21)) {
cli_dbgmsg("OLE2: detected a '_5_summaryinformation' stream\n");
/* JSONOLE2 - what to do if something breaks? */
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
if (cli_ole2_summary_json(ctx, ofd, 0) == CL_ETIMEOUT) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_ETIMEOUT;
goto done;
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
}
ole2: fixed an issue with extremely long names
2014-06-04 11:00:43 -04:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ole2: fixed an issue with extremely long names
2014-06-04 11:00:43 -04:00
if (!strncmp(name, "_5_documentsummaryinformation", 29)) {
cli_dbgmsg("OLE2: detected a '_5_documentsummaryinformation' stream\n");
/* JSONOLE2 - what to do if something breaks? */
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
if (cli_ole2_summary_json(ctx, ofd, 1) == CL_ETIMEOUT) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = CL_ETIMEOUT;
goto done;
added pre-class timeouts for ms-docs and pe files
2014-06-25 13:08:18 -04:00
}
ole2: fixed an issue with extremely long names
2014-06-04 11:00:43 -04:00
}
ole2: check for json outputting option
2014-04-23 18:15:29 -04:00
}
xls: added OTF SummaryInfo and DocumentSummary streams parsing support
2014-04-21 18:40:32 -04:00
}
ole2: check for json outputting option
2014-04-23 18:15:29 -04:00
#endif
xls: added OTF SummaryInfo and DocumentSummary streams parsing support
2014-04-21 18:40:32 -04:00
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
if (hdr->is_hwp) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (!name) {
Modernize VBA code extraction from Microsoft Office files - Existing VBA extraction code uses undocumented cache structures. This code uses the documented way of accessing VBA projects. - Adds additional detail to the dumped information: Project name, Project doc string, ... All VBA projects are dumped into a single file. - Malware authors are currently evading detection by spreading malicious code over several projects. It is hard to write signatures if only part of the malicious code is visible.
2020-04-28 13:32:07 -07:00
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
Updating libclamunrar from legacy C implementation to modern unrar 5.6.5. API changes and supporting changes included to pass the filepath of the scanned file into libclamav through the cli_ctx structure, required by the unrar library to open archives. The filename argument may be optional for the scandesc scanning variant, but libclamav will make a best effort to identify the filename from the file descriptor if it was not provided. In addition, included the ability to prefix temp file and directory names with file basenames.
2018-07-30 20:19:28 -04:00
ret = cli_scanhwp5_stream(ctx, hdr->is_hwp, name, ofd, tempfile);
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
} else if (is_mso < 0) {
ole2: added method for checking MSO and branching to MSO scanner
2015-04-22 05:26:57 -04:00
ret = CL_ESEEK;
} else if (is_mso) {
/* MSO Stream Scan */
ret = scan_mso_stream(ofd, ctx);
} else {
/* Normal File Scan */
Code quality: Refactor layer attributes as scan parameter The current implementation sets a "next layer attributes" flag field in the scan context. This may introduce bugs if accidentally not cleared during error handling, causing that attribute to be applied to a different layer than intended. This commit resolves that by adding an attribute flag to the major internal scan functions and removing the "next layer attributes" from the scan context. This attributes flag shares the same flag fields as the attributes flag in the new file inspection callback and the flags are defined in `clamav.h`.
2022-03-09 22:26:40 -08:00
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
ole2: added method for checking MSO and branching to MSO scanner
2015-04-22 05:26:57 -04:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
ret = ret == CL_VIRUS ? CL_VIRUS : CL_SUCCESS;
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(name);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (-1 != ofd) {
close(ofd);
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(buff);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (NULL != blk_bitset) {
cli_bitset_free(blk_bitset);
}
if (NULL != tempfile) {
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
if (!ctx->engine->keeptmp) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (cli_unlink(tempfile)) {
ret = CL_EUNLINK;
}
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
free(tempfile);
Added malloc error handling macros to ole2_extract
2021-08-10 13:19:01 -07:00
tempfile = NULL;
improve handling of PDF, CAB, RTF, OLE2 and HTML files (sync with branch/0.93) git-svn: trunk@3862
2008-05-27 16:30:47 +00:00
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
return ret;
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
/*
* @brief Extracts encrypted files.
* @param hdr ole2_header_t structure
* @param prop property_t structure (DirectoryEntry)
* @param dir dir pointer. Unused by this function
* @param ctx cli_ctx
* @param handler_ctx handler context. For this function, it is the encryption key
* initialized by 'initialize_encryption_key'
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
* @return Success or failure depending on whether validation was successful.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
*
* For more information, see below
* https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/e5ad39b8-9bc1-4a19-bad3-44e6246d21e6
*/
static cl_error_t handler_otf_encrypted(ole2_header_t *hdr, property_t *prop, const char *dir, cli_ctx *ctx, void *handler_ctx)
{
cl_error_t ret = CL_BREAK;
char *tempfile = NULL;
char *name = NULL;
uint8_t *buff = NULL;
int32_t current_block = 0;
size_t len = 0;
size_t offset = 0;
int ofd = -1;
int is_mso = 0;
bitset_t *blk_bitset = NULL;
int nrounds = 0;
uint8_t *decryptDst = NULL;
encryption_key_t *key = (encryption_key_t *)handler_ctx;
uint64_t *rk = NULL;
uint32_t bytesRead = 0;
uint64_t actualFileLength;
uint64_t bytesWritten = 0;
uint32_t leftover = 0;
uint32_t readIdx = 0;
UNUSEDPARAM(dir);
if (NULL == key) {
cli_errmsg("%s::%d::key NULL\n", __FUNCTION__, __LINE__);
goto done;
}
if (prop->type != 2) {
/* Not a file */
ret = CL_SUCCESS;
goto done;
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(rk, RKLENGTH(key->key_length_bits) * sizeof(uint64_t), ret = CL_EMEM);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
print_ole2_property(prop);
nrounds = rijndaelSetupDecrypt(rk, key->key, key->key_length_bits);
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
if (!(tempfile = cli_gentemp(ctx->sub_tmpdir))) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = CL_EMEM;
goto done;
}
if ((ofd = open(tempfile, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR)) < 0) {
cli_dbgmsg("OLE2 [handler_otf]: Can't create file %s\n", tempfile);
ret = CL_ECREAT;
goto done;
}
current_block = prop->start_block;
len = prop->size;
if (cli_debug_flag) {
if (!name) {
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
}
cli_dbgmsg("OLE2 [handler_otf]: Dumping '%s' to '%s'\n", name, tempfile);
}
uint32_t blockSize = 1 << hdr->log2_big_block_size;
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_MAX_MALLOC_OR_GOTO_DONE(buff, blockSize + sizeof(uint64_t), ret = CL_EMEM);
CLI_MAX_MALLOC_OR_GOTO_DONE(decryptDst, blockSize, ret = CL_EMEM);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
blk_bitset = cli_bitset_init();
if (!blk_bitset) {
cli_errmsg("OLE2 [handler_otf]: init bitset failed\n");
goto done;
}
while (bytesRead < len) {
if (current_block > (int32_t)hdr->max_block_no) {
cli_dbgmsg("OLE2 [handler_otf]: Max block number for file size exceeded: %d\n", current_block);
break;
}
/* Check we aren't in a loop */
if (cli_bitset_test(blk_bitset, (uint64_t)current_block)) {
/* Loop in block list */
cli_dbgmsg("OLE2 [handler_otf]: Block list loop detected\n");
break;
}
if (!cli_bitset_set(blk_bitset, (uint64_t)current_block)) {
break;
}
if (prop->size < (int64_t)hdr->sbat_cutoff) {
/* Small block file */
if (!ole2_get_sbat_data_block(hdr, buff, current_block)) {
cli_dbgmsg("OLE2 [handler_otf]: ole2_get_sbat_data_block failed\n");
break;
}
/* buff now contains the block with N small blocks in it */
offset = (((size_t)1) << hdr->log2_small_block_size) * (((size_t)current_block) % (((size_t)1) << (hdr->log2_big_block_size - hdr->log2_small_block_size)));
if (cli_writen(ofd, &buff[offset], MIN(len, 1 << hdr->log2_small_block_size)) != MIN(len, 1 << hdr->log2_small_block_size)) {
goto done;
}
len -= MIN(len, 1 << hdr->log2_small_block_size);
current_block = ole2_get_next_sbat_block(hdr, current_block);
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// These small block files don't seem to be encrypted.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
} else {
uint32_t bytesToWrite = MIN(len - bytesRead, blockSize);
uint32_t writeIdx = 0;
uint32_t decryptDstIdx = 0;
if (!ole2_read_block(hdr, &(buff[readIdx]), blockSize, current_block)) {
break;
}
if (0 == bytesRead) {
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// first block. account for size of file.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
writeIdx += sizeof(uint64_t);
memcpy(&actualFileLength, buff, sizeof(actualFileLength));
actualFileLength = ole2_endian_convert_64(actualFileLength);
}
bytesRead += blockSize;
for (; writeIdx <= (leftover + bytesToWrite) - 16; writeIdx += 16, decryptDstIdx += 16) {
rijndaelDecrypt(rk, nrounds, &(buff[writeIdx]), &(decryptDst[decryptDstIdx]));
}
/*Since our buffer size is a power of 2, leftover should always be
* either 0 or 8, but we have to decrypt in multiples of 16.*/
if (((leftover + bytesToWrite) - writeIdx) > 8) {
goto done;
}
/*Make sure we don't write more data than the file is actually supposed to be.*/
if ((decryptDstIdx + bytesWritten) > actualFileLength) {
decryptDstIdx = actualFileLength - bytesWritten;
}
if (cli_writen(ofd, decryptDst, decryptDstIdx) != decryptDstIdx) {
cli_errmsg("ole2: Error writing to file '%s'\n", tempfile);
goto done;
}
bytesWritten += decryptDstIdx;
leftover = (leftover + bytesToWrite) - writeIdx;
if (leftover) {
memmove(buff, &(buff[writeIdx]), leftover);
}
readIdx = leftover;
current_block = ole2_get_next_block_number(hdr, current_block);
}
}
/* defragmenting of ole2 stream complete */
is_mso = likely_mso_stream(ofd);
if (lseek(ofd, 0, SEEK_SET) == -1) {
ret = CL_ESEEK;
goto done;
}
#if HAVE_JSON
/* JSON Output Summary Information */
if (SCAN_COLLECT_METADATA && (ctx->properties != NULL)) {
if (!name) {
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
}
if (name) {
if (!strncmp(name, "_5_summaryinformation", 21)) {
cli_dbgmsg("OLE2: detected a '_5_summaryinformation' stream\n");
/* JSONOLE2 - what to do if something breaks? */
if (cli_ole2_summary_json(ctx, ofd, 0) == CL_ETIMEOUT) {
ret = CL_ETIMEOUT;
goto done;
}
}
if (!strncmp(name, "_5_documentsummaryinformation", 29)) {
cli_dbgmsg("OLE2: detected a '_5_documentsummaryinformation' stream\n");
/* JSONOLE2 - what to do if something breaks? */
if (cli_ole2_summary_json(ctx, ofd, 1) == CL_ETIMEOUT) {
ret = CL_ETIMEOUT;
goto done;
}
}
}
}
#endif
if (hdr->is_hwp) {
if (!name) {
name = cli_ole2_get_property_name2(prop->name, prop->name_size);
}
ret = cli_scanhwp5_stream(ctx, hdr->is_hwp, name, ofd, tempfile);
} else if (is_mso < 0) {
ret = CL_ESEEK;
} else if (is_mso) {
/* MSO Stream Scan */
ret = scan_mso_stream(ofd, ctx);
} else {
/* Normal File Scan */
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
}
ret = ret == CL_VIRUS ? CL_VIRUS : CL_SUCCESS;
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(name);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (-1 != ofd) {
close(ofd);
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(buff);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (NULL != blk_bitset) {
cli_bitset_free(blk_bitset);
}
if (NULL != tempfile) {
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
if (!ctx->engine->keeptmp) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (cli_unlink(tempfile)) {
ret = CL_EUNLINK;
}
}
free(tempfile);
tempfile = NULL;
}
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(decryptDst);
CLI_FREE_AND_SET_NULL(rk);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
return ret;
}
add support for HP-UX 11.11 git-svn: trunk@2856
2007-02-24 03:30:27 +00:00
#if !defined(HAVE_ATTRIB_PACKED) && !defined(HAVE_PRAGMA_PACK) && !defined(HAVE_PRAGMA_PACK_HPPA)
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
static bool ole2_read_header(int fd, ole2_header_t *hdr)
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
int i;
Retab for sanity
2013-11-25 21:48:18 +00:00
if (cli_readn(fd, &hdr->magic, 8) != 8) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->clsid, 16) != 16) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->minor_version, 2) != 2) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->dll_version, 2) != 2) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->byte_order, 2) != 2) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->log2_big_block_size, 2) != 2) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->log2_small_block_size, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->reserved, 8) != 8) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->bat_count, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->prop_start, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->signature, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->sbat_cutoff, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->sbat_start, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->sbat_block_count, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->xbat_start, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (cli_readn(fd, &hdr->xbat_count, 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
for (i = 0; i < 109; i++) {
if (cli_readn(fd, &hdr->bat_array[i], 4) != 4) {
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return false;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
}
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
return true;
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
}
remove some warnings from gcc git-svn: trunk@2674
2007-02-04 17:00:53 +00:00
#endif
Mon Feb 2 12:43:55 GMT 2004 (trog) ----------------------------------- * libclamav: ole2_extract.c: Add checks for compiler packed struct support. Fix sbat table in xbats bug. Fixup some data types. Add function to read ole2 header with compilers we don't know how to pack structures. git-svn: trunk@227
2004-02-02 12:51:46 +00:00
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
void copy_encryption_info_stream_standard(encryption_info_stream_standard_t *dst, const uint8_t *src)
{
memcpy(dst, src, sizeof(encryption_info_stream_standard_t));
dst->version_major = ole2_endian_convert_16(dst->version_major);
dst->version_minor = ole2_endian_convert_16(dst->version_minor);
dst->flags = ole2_endian_convert_32(dst->flags);
dst->size = ole2_endian_convert_32(dst->size);
dst->encryptionInfo.flags = ole2_endian_convert_32(dst->encryptionInfo.flags);
dst->encryptionInfo.sizeExtra = ole2_endian_convert_32(dst->encryptionInfo.sizeExtra);
dst->encryptionInfo.algorithmID = ole2_endian_convert_32(dst->encryptionInfo.algorithmID);
dst->encryptionInfo.algorithmIDHash = ole2_endian_convert_32(dst->encryptionInfo.algorithmIDHash);
dst->encryptionInfo.keySize = ole2_endian_convert_32(dst->encryptionInfo.keySize);
dst->encryptionInfo.providerType = ole2_endian_convert_32(dst->encryptionInfo.providerType);
dst->encryptionInfo.reserved1 = ole2_endian_convert_32(dst->encryptionInfo.reserved1);
dst->encryptionInfo.reserved2 = ole2_endian_convert_32(dst->encryptionInfo.reserved2);
}
void copy_encryption_verifier(encryption_verifier_t *dst, const uint8_t *src)
{
memcpy(dst, src, sizeof(encryption_verifier_t));
dst->salt_size = ole2_endian_convert_32(dst->salt_size);
dst->verifier_hash_size = ole2_endian_convert_32(dst->verifier_hash_size);
}
static inline bool key_length_valid_aes_bits(const uint32_t keyLength)
{
switch (keyLength) {
case SE_HEADER_EI_AES128_KEYSIZE:
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
/* fall-through */
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
case SE_HEADER_EI_AES192_KEYSIZE:
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
/* fall-through */
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
case SE_HEADER_EI_AES256_KEYSIZE:
return true;
}
return false;
}
/*Definitions for generate_key_aes*/
#define GENERATE_KEY_AES_ITERATIONS 50000
/*
* @brief Generate the key for aes encryption based on the password
* @param password Password to generate the key from
* @param key [out] location to store the key
* @param verifier encryption_verifier_t from the header. Contains information necessary to generate the key
*
* @return Error code based on whether or not the key was generated. This function
* does NOT validate the key, you must call 'verify_key' for that.
*/
static cl_error_t generate_key_aes(const char *const password, encryption_key_t *key,
encryption_verifier_t *verifier)
{
uint8_t *buffer = NULL;
size_t bufLen = 0;
cl_error_t ret = CL_ERROR;
uint32_t i = 0;
uint8_t sha1[sizeof(uint32_t) + SHA1_HASH_SIZE + sizeof(uint32_t)] = {0};
uint8_t *sha1Dst = &(sha1[sizeof(uint32_t)]);
uint8_t buf1[64];
uint8_t buf2[64];
uint8_t doubleSha[SHA1_HASH_SIZE * 2];
uint32_t tmp = 0;
if (!key_length_valid_aes_bits(key->key_length_bits)) {
cli_errmsg("ole2: Invalid key length '0x%x'\n", key->key_length_bits / 8);
goto done;
}
memset(key->key, 0, key->key_length_bits / 8);
bufLen = verifier->salt_size + (strlen(password) * 2);
buffer = calloc(bufLen, 1);
if (NULL == buffer) {
cli_errmsg("ole2: calloc failed\n");
ret = CL_EMEM;
goto done;
}
tmp = verifier->salt_size;
if (verifier->salt_size > sizeof(verifier->salt)) {
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("ole2: Invalid salt length '0x%x'\n", verifier->salt_size);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
tmp = sizeof(verifier->salt);
}
memcpy(buffer, verifier->salt, tmp);
/*Convert to UTF16-LE*/
for (i = 0; i < (uint32_t)strlen(password); i++) {
buffer[verifier->salt_size + (i * 2)] = password[i];
}
(void)cl_sha1(buffer, bufLen, sha1Dst, NULL);
for (i = 0; i < GENERATE_KEY_AES_ITERATIONS; i++) {
uint32_t eye = ole2_endian_convert_32(i);
memcpy(sha1, &eye, sizeof(eye));
(void)cl_sha1(sha1, SHA1_HASH_SIZE + sizeof(uint32_t), sha1Dst, NULL);
}
memset(&(sha1Dst[SHA1_HASH_SIZE]), 0, sizeof(uint32_t));
(void)cl_sha1(sha1Dst, SHA1_HASH_SIZE + sizeof(uint32_t), sha1Dst, NULL);
memset(buf1, 0x36, sizeof(buf1));
for (i = 0; i < SHA1_HASH_SIZE; i++) {
buf1[i] = buf1[i] ^ sha1Dst[i];
}
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// now sha1 buf1
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
(void)cl_sha1(buf1, sizeof(buf1), doubleSha, NULL);
memset(buf2, 0x5c, sizeof(buf2));
for (i = 0; i < SHA1_HASH_SIZE; i++) {
buf2[i] = buf2[i] ^ sha1Dst[i];
}
(void)cl_sha1(buf2, sizeof(buf2), &(doubleSha[SHA1_HASH_SIZE]), NULL);
tmp = key->key_length_bits / 8;
if (tmp > sizeof(key->key)) {
cli_warnmsg("ole2: Invalid key length 0x%x\n", key->key_length_bits / 8);
tmp = sizeof(key->key);
}
memcpy(key->key, doubleSha, tmp);
ret = CL_SUCCESS;
done:
Refine max-allocation and safer-allocation function and macro names We add the _OR_GOTO_DONE suffix to the macros that go to done if the allocation fails. This makes it obvious what is different about the macro versus the equivalent function, and that error handling is built-in. Renamed the cli_strdup to safer_strdup to make it obvious that it exists because it is safer than regular strdup. Regular strdup doesn't have the NULL check before trying to dup, and so may result in a NULL-deref crash. Also remove unused STRDUP (_OR_GOTO_DONE) macro, since the one with the NULL-check is preferred.
2024-01-09 17:44:33 -05:00
CLI_FREE_AND_SET_NULL(buffer);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
return ret;
}
static bool aes_128ecb_decrypt(const unsigned char *in, size_t length, unsigned char *out, const encryption_key_t *const key)
{
uint64_t rk[RKLENGTH(128)];
int nrounds;
size_t i;
bool bRet = false;
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
if (SE_HEADER_EI_AES128_KEYSIZE != key->key_length_bits) {
cli_dbgmsg("ole2: Unsupported AES key length in aes_128ecb_decrypt\n");
goto done;
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
nrounds = rijndaelSetupDecrypt(rk, (const unsigned char *)key->key, key->key_length_bits);
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (!nrounds) {
cli_errmsg("ole2: Unable to initialize decryption.\n");
goto done;
} else {
for (i = 0; i < length; i += 16) {
rijndaelDecrypt(rk, nrounds, &(in[i]), &(out[i]));
}
}
bRet = true;
done:
return bRet;
}
/*Definitions for verify_key_aes*/
#define AES_VERIFIER_HASH_LEN 32
/*
* @brief Returns true if it is actually encrypted with the key.
* @param key encryption_key_t to attempt validation
* @param verifier encryption_verifier_t to attempt validation.
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
* @return Success or failure depending on whether validation was successful.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
*
* For more information, see below
* https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/e5ad39b8-9bc1-4a19-bad3-44e6246d21e6
*/
static bool verify_key_aes(const encryption_key_t *const key, encryption_verifier_t *verifier)
{
bool bRet = false;
uint8_t sha[SHA1_HASH_SIZE];
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
uint8_t decrypted[AES_VERIFIER_HASH_LEN] = {0};
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
uint32_t actual_hash_size = 0;
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// The hash size should be 20 bytes, even though the buffer is 32 bytes.
// If it claims to be LARGER than 32 bytes, we have a problem - because the buffer isn't that big.
actual_hash_size = verifier->verifier_hash_size;
if (actual_hash_size > sizeof(verifier->encrypted_verifier_hash)) {
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("ole2: Invalid encrypted verifier hash length 0x%x\n", verifier->verifier_hash_size);
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
actual_hash_size = sizeof(verifier->encrypted_verifier_hash);
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
switch (key->key_length_bits) {
case SE_HEADER_EI_AES128_KEYSIZE:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// Decrypt the verifier, which is a randomly generated Verifier value encrypted using
// the algorithm chosen by the implementation.
if (!aes_128ecb_decrypt(verifier->encrypted_verifier, sizeof(verifier->encrypted_verifier), decrypted, key)) {
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
goto done;
}
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// Get hash of decrypted verifier.
// The hash type is from the encryption header, but in this case should always be SHA1.
(void)cl_sha1(decrypted, sizeof(verifier->encrypted_verifier), sha, NULL);
// Decrypt the verifier hash, which, for contains the encrypted form of the hash of the randomly generated Verifier value
if (!aes_128ecb_decrypt(verifier->encrypted_verifier_hash, actual_hash_size, decrypted, key)) {
goto done;
}
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
break;
case SE_HEADER_EI_AES192_KEYSIZE:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// not implemented
goto done;
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
case SE_HEADER_EI_AES256_KEYSIZE:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// not implemented
goto done;
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
default:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// unsupported/invalid key size
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
goto done;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
}
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// Compare our (20-byte) SHA1 with the decrypted hash, which should be the same.
// Note: the hash size is different then ... what are we gonna do? We only support SHA1 hashes for this algorithm.
// So we'll just assume they're the same for this comparison.
bRet = (0 == memcmp(sha, decrypted, SHA1_HASH_SIZE));
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
done:
return bRet;
}
/*Definitions for initialize_encryption_key*/
#define SE_HEADER_FCRYPTOAPI (1 << 2)
#define SE_HEADER_FEXTERNAL (1 << 4)
#define SE_HEADER_FDOCPROPS (1 << 3)
#define SE_HEADER_FAES (1 << 5)
#define SE_HEADER_EI_AES128 0x0000660e
#define SE_HEADER_EI_AES192 0x0000660f
#define SE_HEADER_EI_AES256 0x00006610
#define SE_HEADER_EI_RC4 0x00006801
#define SE_HEADER_EI_SHA1 0x00008004
#define SE_HEADER_EI_AES_PROVIDERTYPE 0x00000018
/**
* @brief Initialize encryption key, if the encryption validation passes.
*
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
* @param encryptionInfo Pointer to the encryption header.
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
* @param encryptionKey [out] Pointer to encryption_key_t structure to be initialized by this function.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
* @return Success or failure depending on whether or not the
* encryption verifier was successful with the
* standard password (VelvetSweatshop).
*
* Information about the encryption keys is here
* https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/dca653b5-b93b-48df-8e1e-0fb9e1c83b0f
* https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/2895eba1-acb1-4624-9bde-2cdad3fea015
*
*/
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
static bool initialize_encryption_key(
const uint8_t *encryptionInfoStreamPtr,
size_t remainingBytes,
encryption_key_t *encryptionKey)
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
{
bool bRet = false;
size_t idx = 0;
encryption_key_t key;
bool bAES = false;
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
encryption_info_stream_standard_t encryptionInfo = {0};
uint16_t *encryptionInfo_CSPName = NULL;
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
size_t CSPName_length = 0;
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
const uint8_t *encryptionVerifierPtr = NULL;
encryption_verifier_t encryptionVerifier = {0};
// Populate the encryption_info_stream_standard_t structure
copy_encryption_info_stream_standard(&encryptionInfo, encryptionInfoStreamPtr);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
memset(encryptionKey, 0, sizeof(encryption_key_t));
memset(&key, 0, sizeof(encryption_key_t));
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("Major Version = 0x%x\n", encryptionInfo.version_major);
cli_dbgmsg("Minor Version = 0x%x\n", encryptionInfo.version_minor);
cli_dbgmsg("Flags = 0x%x\n", encryptionInfo.flags);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
/*Bit 0 and 1 must be 0*/
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (1 & encryptionInfo.flags) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Invalid first bit, must be 0\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if ((1 << 1) & encryptionInfo.flags) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Invalid second bit, must be 0\n");
goto done;
}
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/200a3d61-1ab4-4402-ae11-0290b28ab9cb
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if ((SE_HEADER_FDOCPROPS & encryptionInfo.flags)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Unsupported document properties encrypted\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if ((SE_HEADER_FEXTERNAL & encryptionInfo.flags) &&
(SE_HEADER_FEXTERNAL != encryptionInfo.flags)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Invalid fExternal flags. If fExternal bit is set, nothing else can be\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_FAES & encryptionInfo.flags) {
if (!(SE_HEADER_FCRYPTOAPI & encryptionInfo.flags)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Invalid combo of fAES and fCryptoApi flags\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("Flags = AES\n");
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("Size = 0x%x\n", encryptionInfo.size);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (encryptionInfo.flags != encryptionInfo.encryptionInfo.flags) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Flags must match\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (0 != encryptionInfo.encryptionInfo.sizeExtra) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Size Extra must be 0\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
switch (encryptionInfo.encryptionInfo.algorithmID) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
case SE_HEADER_EI_AES128:
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_EI_AES128_KEYSIZE != encryptionInfo.encryptionInfo.keySize) {
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
cli_dbgmsg("ole2: Key length does not match algorithm id\n");
goto done;
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
bAES = true;
break;
case SE_HEADER_EI_AES192:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// not implemented
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_EI_AES192_KEYSIZE != encryptionInfo.encryptionInfo.keySize) {
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
cli_dbgmsg("ole2: Key length does not match algorithm id\n");
goto done;
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
bAES = true;
goto done;
case SE_HEADER_EI_AES256:
Fix memory compare length in OLE2 AES key verification Coverity found two slightly different buffer length issues with the memcmp at the end of the verify_key_aes() function. The problem is that the hash must be a SHA1, but the the verifier hash field is up to 32 bytes, and the structure may also lie about the size of the hash, saying it's more than 32 bytes. Realistically, it should be 20 bytes if it is functioning correctly, so we shouldn't really care about the extra 12 bytes.
2022-10-24 17:50:11 -07:00
// not implemented
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_EI_AES256_KEYSIZE != encryptionInfo.encryptionInfo.keySize) {
Validate key length before calling encryption Add error checking to make sure we aren't calling into aes decrypt functions with larger key sizes, that would make decrypt read past the end of it's data array.
2022-10-24 12:48:42 -07:00
cli_dbgmsg("ole2: Key length does not match algorithm id\n");
goto done;
}
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
bAES = true;
goto done;
case SE_HEADER_EI_RC4:
Resolve static-analysis complaint about NULL-check after use Coverity static analysis is complaining that the ctx variable is checked for NULL after it has already been dereferenced. This code was copied from elsewhere in the file, so fixed it there as well.
2022-10-24 13:08:14 -07:00
// not implemented
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
default:
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("ole2: Invalid Algorithm ID: 0x%x\n", encryptionInfo.encryptionInfo.algorithmID);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_EI_SHA1 != encryptionInfo.encryptionInfo.algorithmIDHash) {
cli_dbgmsg("ole2: Invalid Algorithm ID Hash: 0x%x\n", encryptionInfo.encryptionInfo.algorithmIDHash);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (!key_length_valid_aes_bits(encryptionInfo.encryptionInfo.keySize)) {
cli_dbgmsg("ole2: Invalid key size: 0x%x\n", encryptionInfo.encryptionInfo.keySize);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("KeySize = 0x%x\n", encryptionInfo.encryptionInfo.keySize);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (SE_HEADER_EI_AES_PROVIDERTYPE != encryptionInfo.encryptionInfo.providerType) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: WARNING: Provider Type should be '0x%x', is '0x%x'\n",
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
SE_HEADER_EI_AES_PROVIDERTYPE, encryptionInfo.encryptionInfo.providerType);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
cli_dbgmsg("Reserved1 = 0x%x\n", encryptionInfo.encryptionInfo.reserved1);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (0 != encryptionInfo.encryptionInfo.reserved2) {
cli_dbgmsg("ole2: Reserved 2 must be zero, is 0x%x\n", encryptionInfo.encryptionInfo.reserved2);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
/* The encryption info is at the end of the CPSName string.
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
* Find the end, and we'll have the index of the EncryptionVerifier.
* The CPSName string *should* always be either
* 'Microsoft Enhanced RSA and AES Cryptographic Provider'
* or
* 'Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)'
*/
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
encryptionInfo_CSPName = (uint16_t *)(encryptionInfoStreamPtr + sizeof(encryption_info_stream_standard_t));
remainingBytes -= sizeof(encryption_info_stream_standard_t);
if (0 == remainingBytes) {
cli_dbgmsg("ole2: No CSPName or encryption_verifier_t\n");
goto done;
}
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
while (true) {
// Check if we've gone past the end of the buffer without finding the end of the CSPName string.
if ((idx + 1) * sizeof(uint16_t) > remainingBytes) {
cli_dbgmsg("ole2: CSPName is missing null terminator before end of buffer.\n");
goto done;
}
// Check if we've found the end of the CSPName string.
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (encryptionInfo_CSPName[idx] == 0) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
break;
}
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
// Found another character in the CSPName string, keep going.
idx++;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
}
OLE2: Fix integer overflow that may result in over read An integer overflow when calculating remainingBytes may cause a large buffer over read. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62542
2023-10-03 00:42:00 -05:00
CSPName_length = (idx + 1) * sizeof(uint16_t);
encryptionVerifierPtr = (uint8_t *)encryptionInfo_CSPName + CSPName_length;
remainingBytes -= CSPName_length;
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (remainingBytes < sizeof(encryption_verifier_t)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: No encryption_verifier_t\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
copy_encryption_verifier(&encryptionVerifier, encryptionVerifierPtr);
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
key.key_length_bits = encryptionInfo.encryptionInfo.keySize;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (!bAES) {
cli_dbgmsg("ole2: Unsupported encryption algorithm\n");
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (CL_SUCCESS != generate_key_aes("VelvetSweatshop", &key, &encryptionVerifier)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
/*Error message printed by generate_key_aes*/
goto done;
}
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
if (!verify_key_aes(&key, &encryptionVerifier)) {
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
cli_dbgmsg("ole2: Key verification for '%s' failed, unable to decrypt.\n", "VelvetSweatshop");
goto done;
}
memcpy(encryptionKey, &key, sizeof(encryption_key_t));
bRet = true;
done:
return bRet;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
/**
* @brief Extract macros and images from an ole2 file
*
* @param dirname A temp directory where we should store extracted content
* @param ctx The scan context
* @param files [out] A store of file names of extracted things to be processed later.
* @param has_vba [out] If the ole2 contained 1 or more VBA macros
* @param has_xlm [out] If the ole2 contained 1 or more XLM macros
* @param has_image [out] If the ole2 contained 1 or more images
* @return cl_error_t
*/
cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **files, int *has_vba, int *has_xlm, int *has_image)
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
{
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
ole2_header_t hdr;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
cl_error_t ret = CL_CLEAN;
Silence some compiler warnings
2014-07-09 12:03:08 -04:00
size_t hdr_size;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
unsigned int file_count = 0;
unsigned long scansize, scansize2;
const void *phdr;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
encryption_key_t key;
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
bool bEncrypted = false;
size_t encryption_offset = 0;
check limits in ole2 git-svn: trunk@3635
2008-02-14 20:34:02 +00:00
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_dbgmsg("in cli_ole2_extract()\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (!ctx) {
BB#5456
2012-07-10 13:21:10 -04:00
return CL_ENULLARG;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
check limits in ole2 git-svn: trunk@3635
2008-02-14 20:34:02 +00:00
alternative fix to OLE2 is_hwp uninitialization
2016-01-05 11:12:08 -05:00
hdr.is_hwp = NULL;
Retab for sanity
2013-11-25 21:48:18 +00:00
hdr.bitset = NULL;
if (ctx->engine->maxscansize) {
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (ctx->engine->maxscansize > ctx->scansize) {
Retab for sanity
2013-11-25 21:48:18 +00:00
scansize = ctx->engine->maxscansize - ctx->scansize;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
} else {
Retab for sanity
2013-11-25 21:48:18 +00:00
return CL_EMAXSIZE;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
} else {
Retab for sanity
2013-11-25 21:48:18 +00:00
scansize = -1;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
scansize2 = scansize;
/* size of header - size of other values in struct */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
hdr_size = sizeof(struct ole2_header_tag) -
sizeof(int32_t) - // sbat_root_start
sizeof(uint32_t) - // max_block_no
sizeof(off_t) - // m_length
sizeof(bitset_t *) - // bitset
sizeof(struct uniq *) - // U
sizeof(fmap_t *) - // map
sizeof(bool) - // has_vba
sizeof(bool) - // has_xlm
sizeof(bool) - // has_image
sizeof(hwp5_header_t *); // is_hwp
Retab for sanity
2013-11-25 21:48:18 +00:00
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
if ((size_t)(ctx->fmap->len) < (size_t)(hdr_size)) {
Retab for sanity
2013-11-25 21:48:18 +00:00
return CL_CLEAN;
}
libclamav: Fix scan recursion tracking Scan recursion is the process of identifying files embedded in other files and then scanning them, recursively. Internally this process is more complex than it may sound because a file may have multiple layers of types before finding a new "file". At present we treat the recursion count in the scanning context as an index into both our fmap list AND our container list. These two lists are conceptually a part of the same thing and should be unified. But what's concerning is that the "recursion level" isn't actually incremented or decremented at the same time that we add a layer to the fmap or container lists but instead is more touchy-feely, increasing when we find a new "file". To account for this shadiness, the size of the fmap and container lists has always been a little longer than our "max scan recursion" limit so we don't accidentally overflow the fmap or container arrays (!). I've implemented a single recursion-stack as an array, similar to before, which includes a pointer to each fmap at each layer, along with the size and type. Push and pop functions add and remove layers whenever a new fmap is added. A boolean argument when pushing indicates if the new layer represents a new buffer or new file (descriptor). A new buffer will reset the "nested fmap level" (described below). This commit also provides a solution for an issue where we detect embedded files more than once during scan recursion. For illustration, imagine a tarball named foo.tar.gz with this structure: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | baz.exe | PE | 0 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | │   └── hello.txt | ASCII | 2 | 0 | | └── sfx.7z | 7Z | 1 | 1 | |    └── world.txt | ASCII | 2 | 0 | (A) If we scan for embedded files at any layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | ├── foo.tar | TAR | 1 | 0 | | │ ├── bar.zip | ZIP | 2 | 1 | | │ │   └── hola.txt | ASCII | 3 | 0 | | │ ├── baz.exe | PE | 2 | 1 | | │ │ ├── sfx.zip | ZIP | 3 | 1 | | │ │ │   └── hello.txt | ASCII | 4 | 0 | | │ │ └── sfx.7z | 7Z | 3 | 1 | | │ │    └── world.txt | ASCII | 4 | 0 | | │ ├── sfx.zip | ZIP | 2 | 1 | | │ │   └── hello.txt | ASCII | 3 | 0 | | │ └── sfx.7z | 7Z | 2 | 1 | | │   └── world.txt | ASCII | 3 | 0 | | ├── sfx.zip | ZIP | 1 | 1 | | └── sfx.7z | 7Z | 1 | 1 | (A) is bad because it scans content more than once. Note that for the GZ layer, it may detect the ZIP and 7Z if the signature hits on the compressed data, which it might, though extracting the ZIP and 7Z will likely fail. The reason the above doesn't happen now is that we restrict embedded type scans for a bunch of archive formats to include GZ and TAR. (B) If we scan for embedded files at the foo.tar layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | ├── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 2 | 1 | | │   └── hello.txt | ASCII | 3 | 0 | | └── sfx.7z | 7Z | 2 | 1 | |    └── world.txt | ASCII | 3 | 0 | (B) is almost right. But we can achieve it easily enough only scanning for embedded content in the current fmap when the "nested fmap level" is 0. The upside is that it should safely detect all embedded content, even if it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe. The biggest risk I can think of affects ZIPs. SFXZIP detection is identical to ZIP detection, which is why we don't allow SFXZIP to be detected if insize of a ZIP. If we only allow embedded type scanning at fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP if the bar.exe was not compressed in foo.zip and if non-compressed files extracted from ZIPs aren't extracted as new buffers: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.zip | ZIP | 0 | 0 | | └── bar.exe | PE | 1 | 1 | | └── sfx.zip | ZIP | 2 | 2 | Provided that we ensure all files extracted from zips are scanned in new buffers, option (B) should be safe. (C) If we scan for embedded files at the baz.exe layer, we may detect: | description | type | rec level | nested fmap level | | ------------------------- | ----- | --------- | ----------------- | | foo.tar.gz | GZ | 0 | 0 | | └── foo.tar | TAR | 1 | 0 | | ├── bar.zip | ZIP | 2 | 1 | | │   └── hola.txt | ASCII | 3 | 0 | | └── baz.exe | PE | 2 | 1 | | ├── sfx.zip | ZIP | 3 | 1 | | │   └── hello.txt | ASCII | 4 | 0 | | └── sfx.7z | 7Z | 3 | 1 | |    └── world.txt | ASCII | 4 | 0 | (C) is right. But it's harder to achieve. For this example we can get it by restricting 7ZSFX and ZIPSFX detection only when scanning an executable. But that may mean losing detection of archives embedded elsewhere. And we'd have to identify allowable container types for each possible embedded type, which would be very difficult. So this commit aims to solve the issue the (B)-way. Note that in all situations, we still have to scan with file typing enabled to determine if we need to reassign the current file type, such as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2- compressed. Detection of DMG and a handful of other types rely on finding data partway through or near the ned of a file before reassigning the entire file as the new type. Other fixes and considerations in this commit: - The utf16 HTML parser has weak error handling, particularly with respect to creating a nested fmap for scanning the ascii decoded file. This commit cleans up the error handling and wraps the nested scan with the recursion-stack push()/pop() for correct recursion tracking. Before this commit, each container layer had a flag to indicate if the container layer is valid. We need something similar so that the cli_recursion_stack_get_*() functions ignore normalized layers. Details... Imagine an LDB signature for HTML content that specifies a ZIP container. If the signature actually alerts on the normalized HTML and you don't ignore normalized layers for the container check, it will appear as though the alert is in an HTML container rather than a ZIP container. This commit accomplishes this with a boolean you set in the scan context before scanning a new layer. Then when the new fmap is created, it will use that flag to set similar flag for the layer. The context flag is reset those that anything after this doesn't have that flag. The flag allows the new recursion_stack_get() function to ignore normalized layers when iterating the stack to return a layer at a requested index, negative or positive. Scanning normalized extracted/normalized javascript and VBA should also use the 'layer is normalized' flag. - This commit also fixes Heuristic.Broken.Executable alert for ELF files to make sure that: A) these only alert if cli_append_virus() returns CL_VIRUS (aka it respects the FP check). B) all broken-executable alerts for ELF only happen if the SCAN_HEURISTIC_BROKEN option is enabled. - This commit also cleans up the error handling in cli_magic_scan_dir(). This was needed so we could correctly apply the layer-is-normalized-flag to all VBA macros extracted to a directory when scanning the directory. - Also fix an issue where exceeding scan maximums wouldn't cause embedded file detection scans to abort. Granted we don't actually want to abort if max filesize or max recursion depth are exceeded... only if max scansize, max files, and max scantime are exceeded. Add 'abort_scan' flag to scan context, to protect against depending on correct error propagation for fatal conditions. Instead, setting this flag in the scan context should guarantee that a fatal condition deep in scan recursion isn't lost which result in more stuff being scanned instead of aborting. This shouldn't be necessary, but some status codes like CL_ETIMEOUT never used to be fatal and it's easier to do this than to verify every parser only returns CL_ETIMEOUT and other "fatal status codes" in fatal conditions. - Remove duplicate is_tar() prototype from filestypes.c and include is_tar.h instead. - Presently we create the fmap hash when creating the fmap. This wastes a bit of CPU if the hash is never needed. Now that we're creating fmap's for all embedded files discovered with file type recognition scans, this is a much more frequent occurence and really slows things down. This commit fixes the issue by only creating fmap hashes as needed. This should not only resolve the perfomance impact of creating fmap's for all embedded files, but also should improve performance in general. - Add allmatch check to the zip parser after the central-header meta match. That way we don't multiple alerts with the same match except in allmatch mode. Clean up error handling in the zip parser a tiny bit. - Fixes to ensure that the scan limits such as scansize, filesize, recursion depth, # of embedded files, and scantime are always reported if AlertExceedsMax (--alert-exceeds-max) is enabled. - Fixed an issue where non-fatal alerts for exceeding scan maximums may mask signature matches later on. I changed it so these alerts use the "possibly unwanted" alert-type and thus only alert if no other alerts were found or if all-match or heuristic-precedence are enabled. - Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata when the --gen-json feature is enabled. These will show up once under "ParseErrors" the first time a limit is exceeded. In the present implementation, only one limits-exceeded events will be added, so as to prevent a malicious or malformed sample from filling the JSON buffer with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
hdr.map = ctx->fmap;
Retab for sanity
2013-11-25 21:48:18 +00:00
hdr.m_length = hdr.map->len;
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
phdr = fmap_need_off_once(hdr.map, 0, hdr_size);
Retab for sanity
2013-11-25 21:48:18 +00:00
if (phdr) {
memcpy(&hdr, phdr, hdr_size);
} else {
cli_dbgmsg("cli_ole2_extract: failed to read header\n");
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hdr.minor_version = ole2_endian_convert_16(hdr.minor_version);
hdr.dll_version = ole2_endian_convert_16(hdr.dll_version);
hdr.byte_order = ole2_endian_convert_16(hdr.byte_order);
hdr.log2_big_block_size = ole2_endian_convert_16(hdr.log2_big_block_size);
Retab for sanity
2013-11-25 21:48:18 +00:00
hdr.log2_small_block_size = ole2_endian_convert_32(hdr.log2_small_block_size);
clang-format'd using new .clang-format rules.
2018-12-03 12:40:13 -05:00
hdr.bat_count = ole2_endian_convert_32(hdr.bat_count);
hdr.prop_start = ole2_endian_convert_32(hdr.prop_start);
hdr.sbat_cutoff = ole2_endian_convert_32(hdr.sbat_cutoff);
hdr.sbat_start = ole2_endian_convert_32(hdr.sbat_start);
hdr.sbat_block_count = ole2_endian_convert_32(hdr.sbat_block_count);
hdr.xbat_start = ole2_endian_convert_32(hdr.xbat_start);
hdr.xbat_count = ole2_endian_convert_32(hdr.xbat_count);
Retab for sanity
2013-11-25 21:48:18 +00:00
hdr.sbat_root_start = -1;
hdr.bitset = cli_bitset_init();
if (!hdr.bitset) {
ret = CL_EMEM;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (memcmp(hdr.magic, magic_id, 8) != 0) {
cli_dbgmsg("OLE2 magic failed!\n");
ret = CL_EFORMAT;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
if (hdr.log2_big_block_size < 6 || hdr.log2_big_block_size > 28) {
// The big block size (aka Sector Shift) is expected to be:
// - 9 for Major Version 3
// - 12 for Major Version 4
// - TBD for Major Version 5?
// To allow for future changes, and prevent overflowing an int32_t, we're limiting to 28.
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_dbgmsg("CAN'T PARSE: Invalid big block size (2^%u)\n", hdr.log2_big_block_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (!hdr.log2_small_block_size || hdr.log2_small_block_size > hdr.log2_big_block_size) {
cli_dbgmsg("CAN'T PARSE: Invalid small block size (2^%u)\n", hdr.log2_small_block_size);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
if (hdr.sbat_cutoff != 4096) {
cli_dbgmsg("WARNING: Untested sbat cutoff (%u); data may not extract correctly\n", hdr.sbat_cutoff);
}
added check for potential overflow with extremely large ole2 files
2013-11-26 13:29:44 -05:00
if (hdr.map->len > INT32_MAX) {
cli_dbgmsg("OLE2 extract: Overflow detected\n");
add hwp5 contents to preclass set
2015-12-08 14:47:12 -05:00
ret = CL_EFORMAT;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
added check for potential overflow with extremely large ole2 files
2013-11-26 13:29:44 -05:00
}
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
/* determine if encrypted with VelvetSweatshop password */
encryption_offset = 4 * (1 << hdr.log2_big_block_size);
if ((encryption_offset + sizeof(encryption_info_stream_standard_t)) <= hdr.m_length) {
OLE2: Fix bounds check on OLE2 encryption info check The checks for the encryption info cspName and encryption verifier don't have the size of the overall file available for the check and may overflow. This commit passes in the size of the file to the initialize_encryption_key() function and does all size checks within that function instead of doing the overall size check before that function. Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60563
2023-07-25 16:40:42 -07:00
bEncrypted = initialize_encryption_key(
&(((const uint8_t *)phdr)[encryption_offset]),
hdr.m_length - encryption_offset,
&key);
cli_dbgmsg("Encrypted with VelvetSweatshop: %d\n", bEncrypted);
OLE2: Sector size check before checking for encryption This bug was introduced during 1.0 development and does not affect any stable release. An OLE2 document that claims to have a sector size (big block size) over 28 will cause a signed integer overflow for our local off_t variable, when multiplied by 4. This will then result in an invalid read and segfault. The fix is two-fold: 1. Make sure the sector size (big block size) is not greater than 28, so we don't accidentaly overflow an int32_t. 2. Perform the size check _before_ using the variable. This commit also fixes some variable types from `unsigned int` or `off_t` over to the more appropriate `size_t`, and from `int` or `uint32_t`, over to `bool`. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=52639
2022-11-02 18:47:37 -07:00
#if HAVE_JSON
if (ctx->wrkproperty == ctx->properties) {
cli_jsonint(ctx->wrkproperty, "EncryptedWithVelvetSweatshop", bEncrypted);
}
#endif /* HAVE_JSON */
}
Retab for sanity
2013-11-25 21:48:18 +00:00
/* 8 SBAT blocks per file block */
hdr.max_block_no = (hdr.map->len - MAX(512, 1 << hdr.log2_big_block_size)) / (1 << hdr.log2_small_block_size);
print_ole2_header(&hdr);
cli_dbgmsg("Max block number: %lu\n", (unsigned long int)hdr.max_block_no);
/* PASS 1 : Count files and check for VBA */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
hdr.has_vba = false;
hdr.has_xlm = false;
hdr.has_image = false;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ret = ole2_walk_property_tree(&hdr, NULL, 0, handler_enum, 0, &file_count, ctx, &scansize, NULL);
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_bitset_free(hdr.bitset);
hdr.bitset = NULL;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (!file_count || !(hdr.bitset = cli_bitset_init())) {
goto done;
}
Retab for sanity
2013-11-25 21:48:18 +00:00
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
if (hdr.is_hwp) {
cli_dbgmsg("OLE2: identified HWP document\n");
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
cli_dbgmsg("OLE2: HWP version: 0x%08x\n", hdr.is_hwp->version);
cli_dbgmsg("OLE2: HWP flags: 0x%08x\n", hdr.is_hwp->flags);
add hwp5 contents to preclass set
2015-12-08 14:47:12 -05:00
various name changes and dereference fix
2015-12-08 17:28:49 -05:00
ret = cli_hwp5header(ctx, hdr.is_hwp);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (ret != CL_SUCCESS) {
goto done;
}
proper identification of HWP file format
2015-12-04 11:55:52 -05:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
/* If there's no VBA we scan OTF */
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (hdr.has_vba || hdr.has_xlm || hdr.has_image) {
Retab for sanity
2013-11-25 21:48:18 +00:00
/* PASS 2/A : VBA scan */
cli_dbgmsg("OLE2: VBA project found\n");
if (!(hdr.U = uniq_init(file_count))) {
cli_dbgmsg("OLE2: uniq_init() failed\n");
ret = CL_EMEM;
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
goto done;
Retab for sanity
2013-11-25 21:48:18 +00:00
}
file_count = 0;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
ole2_walk_property_tree(&hdr, dirname, 0, handler_writefile, 0, &file_count, ctx, &scansize2, NULL);
XLM (Excel 4.0) macro detection and extraction XLM is a macro language in Excel that was used before VBA (before 1996). It is still parsed and executed by modern Excel and is gaining popularity with malware authors. This patch adds rudimentary support for detecting and extracting Excel 4.0 (XLM) macros. The code is based on Didier Steven's plugin_biff for oletools.py.
2020-04-29 14:19:41 -07:00
ret = CL_CLEAN;
*files = hdr.U;
if (has_vba) {
*has_vba = hdr.has_vba;
}
if (has_xlm) {
*has_xlm = hdr.has_xlm;
}
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
if (has_image) {
*has_image = hdr.has_image;
}
Retab for sanity
2013-11-25 21:48:18 +00:00
} else {
cli_dbgmsg("OLE2: no VBA projects found\n");
/* PASS 2/B : OTF scan */
file_count = 0;
Decrypt old Excel default-password files Add support for detecting and decrypting OLE2-based Excel XLS files that are encrypted with the default password 'VelvetSweatshop'.
2022-10-21 19:27:36 -04:00
if (bEncrypted) {
ret = ole2_walk_property_tree(&hdr, NULL, 0, handler_otf_encrypted, 0, &file_count, ctx, &scansize2, &key);
} else {
ret = ole2_walk_property_tree(&hdr, NULL, 0, handler_otf, 0, &file_count, ctx, &scansize2, NULL);
}
Retab for sanity
2013-11-25 21:48:18 +00:00
}
use mmap() when available. git-svn: trunk@567
2004-05-19 08:09:50 +00:00
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
done:
if (hdr.bitset) {
Retab for sanity
2013-11-25 21:48:18 +00:00
cli_bitset_free(hdr.bitset);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
if (hdr.is_hwp) {
HWP: parsing and scanning, add new source files
2015-12-07 18:18:39 -05:00
free(hdr.is_hwp);
OLE2 / XLS document image extraction Added a feature to extract images from OLE2 BIFF streams. This work was derived from InQuests blog post about extracting XLM and images from XLS files: https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files Assorted ole2 parser code cleanup and massive error handling cleanup. Also fixed the following: - The XLS parser may fail to process all BIFF records if some of the records contain unexpected data or is otherwise malformed. Because the record size is already known, we can skip over the "malformed" record and continue with the rest. - Fixed an issue where the ole2 header size was improperly calculated, failing to account for the new "has_xlm" boolean added for context.
2021-06-30 17:30:51 -07:00
}
Retab for sanity
2013-11-25 21:48:18 +00:00
return ret == CL_BREAK ? CL_CLEAN : ret;
OLE2 git-svn: trunk@200
2004-01-23 11:17:16 +00:00
}
Reference in a new issue Copy permalink