2009-07-13 12:59:49 +02:00
|
|
|
/*
|
2025-02-14 10:24:30 -05:00
|
|
|
* Copyright (C) 2013-2025 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2019-01-25 10:15:50 -05:00
|
|
|
* Copyright (C) 2009-2013 Sourcefire, Inc.
|
2009-07-13 12:59:49 +02:00
|
|
|
*
|
|
|
|
|
* Authors: aCaB <acab@clamav.net>
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* common routines to deal with installshield archives and installers */
|
|
|
|
|
|
2009-07-13 02:37:16 +02:00
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
2018-12-03 12:40:13 -05:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2009-07-13 02:37:16 +02:00
|
|
|
#include <unistd.h>
|
|
|
|
|
#endif
|
2009-07-15 12:34:50 +02:00
|
|
|
#if HAVE_STRING_H
|
2009-07-13 02:37:16 +02:00
|
|
|
#include <string.h>
|
2009-07-15 12:34:50 +02:00
|
|
|
#endif
|
|
|
|
|
#include <limits.h>
|
2009-07-16 13:22:28 +02:00
|
|
|
#if HAVE_STRINGS_H
|
2009-07-14 12:39:21 +02:00
|
|
|
#include <strings.h>
|
2009-07-16 13:22:28 +02:00
|
|
|
#endif
|
2009-09-25 00:09:13 +02:00
|
|
|
#if defined(HAVE_MMAP) && defined(HAVE_SYS_MMAN_H)
|
|
|
|
|
#include <sys/mman.h>
|
|
|
|
|
#endif
|
2009-07-13 02:37:16 +02:00
|
|
|
#include <zlib.h>
|
|
|
|
|
|
2014-07-01 19:38:01 -04:00
|
|
|
#include "clamav.h"
|
2009-07-13 02:37:16 +02:00
|
|
|
#include "scanners.h"
|
|
|
|
|
#include "others.h"
|
2009-08-20 04:51:13 +02:00
|
|
|
#include "fmap.h"
|
2009-07-13 02:37:16 +02:00
|
|
|
#include "ishield.h"
|
|
|
|
|
|
2009-07-15 12:34:50 +02:00
|
|
|
#ifndef LONG_MAX
|
2018-12-03 12:40:13 -05:00
|
|
|
#define LONG_MAX ((-1UL) >> 1)
|
2009-07-15 12:34:50 +02:00
|
|
|
#endif
|
|
|
|
|
|
2009-07-13 12:59:49 +02:00
|
|
|
#ifndef HAVE_ATTRIB_PACKED
|
|
|
|
|
#define __attribute__(x)
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_PRAGMA_PACK
|
|
|
|
|
#pragma pack(1)
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_PRAGMA_PACK_HPPA
|
|
|
|
|
#pragma pack 1
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* PACKED things go here */
|
|
|
|
|
|
2009-09-05 20:16:10 +02:00
|
|
|
struct IS_HDR {
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t magic;
|
2009-09-05 20:16:10 +02:00
|
|
|
uint32_t unk1; /* version ??? */
|
|
|
|
|
uint32_t unk2; /* ??? */
|
|
|
|
|
uint32_t data_off;
|
|
|
|
|
uint32_t data_sz; /* ??? */
|
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
2009-07-13 12:59:49 +02:00
|
|
|
struct IS_FB {
|
|
|
|
|
char fname[0x104]; /* MAX_PATH */
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t unk1; /* 6 */
|
2009-07-13 12:59:49 +02:00
|
|
|
uint32_t unk2;
|
|
|
|
|
uint64_t csize;
|
|
|
|
|
uint32_t unk3;
|
|
|
|
|
uint32_t unk4; /* 1 */
|
|
|
|
|
uint32_t unk5;
|
|
|
|
|
uint32_t unk6;
|
|
|
|
|
uint32_t unk7;
|
|
|
|
|
uint32_t unk8;
|
|
|
|
|
uint32_t unk9;
|
|
|
|
|
uint32_t unk10;
|
|
|
|
|
uint32_t unk11;
|
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
struct IS_COMPONENT {
|
|
|
|
|
uint32_t str_name_off;
|
|
|
|
|
uint32_t unk_str1_off;
|
|
|
|
|
uint32_t unk_str2_off;
|
|
|
|
|
uint16_t unk_flags;
|
|
|
|
|
uint32_t unk_str3_off;
|
|
|
|
|
uint32_t unk_str4_off;
|
|
|
|
|
uint16_t ordinal_id;
|
|
|
|
|
uint32_t str_shortname_off;
|
|
|
|
|
uint32_t unk_str6_off;
|
|
|
|
|
uint32_t unk_str7_off;
|
|
|
|
|
uint32_t unk_str8_off;
|
|
|
|
|
char guid1[16];
|
|
|
|
|
char guid2[16];
|
|
|
|
|
uint32_t unk_str9_off;
|
|
|
|
|
char unk1[3];
|
|
|
|
|
uint16_t unk_flags2;
|
|
|
|
|
uint32_t unk3[5];
|
|
|
|
|
uint32_t unk_str10_off;
|
|
|
|
|
uint32_t unk4[4];
|
|
|
|
|
uint16_t unk5;
|
|
|
|
|
uint16_t sub_comp_cnt;
|
|
|
|
|
uint32_t sub_comp_offs_array;
|
|
|
|
|
uint32_t next_comp_off;
|
|
|
|
|
uint32_t unk_str11_off;
|
|
|
|
|
uint32_t unk_str12_off;
|
|
|
|
|
uint32_t unk_str13_off;
|
|
|
|
|
uint32_t unk_str14_off;
|
2009-07-14 23:00:29 +02:00
|
|
|
uint32_t str_next1_off;
|
|
|
|
|
uint32_t str_next2_off;
|
2009-07-14 16:57:05 +02:00
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
|
|
|
|
struct IS_INSTTYPEHDR {
|
|
|
|
|
uint32_t unk1;
|
|
|
|
|
uint32_t cnt;
|
|
|
|
|
uint32_t off;
|
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
|
|
|
|
struct IS_INSTTYPEITEM {
|
|
|
|
|
uint32_t str_name1_off;
|
|
|
|
|
uint32_t str_name2_off;
|
|
|
|
|
uint32_t str_name3_off;
|
|
|
|
|
uint32_t cnt;
|
|
|
|
|
uint32_t off;
|
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
|
|
|
|
struct IS_OBJECTS {
|
|
|
|
|
/* 200 */ uint32_t strings_off;
|
|
|
|
|
/* 204 */ uint32_t zero1;
|
|
|
|
|
/* 208 */ uint32_t comps_off;
|
|
|
|
|
/* 20c */ uint32_t dirs_off;
|
|
|
|
|
/* 210 */ uint32_t zero2;
|
|
|
|
|
/* 214 */ uint32_t unk1, unk2; /* 0x4a636 304694 uguali - NOT AN OFFSET! */
|
|
|
|
|
/* 21c */ uint32_t dirs_cnt;
|
|
|
|
|
/* 220 */ uint32_t zero3;
|
|
|
|
|
/* 224 */ uint32_t dirs_sz; /* dirs_cnt * 4 */
|
|
|
|
|
/* 228 */ uint32_t files_cnt;
|
|
|
|
|
/* 22c */ uint32_t dir_sz2; /* same as dirs_sz ?? */
|
2018-12-03 12:40:13 -05:00
|
|
|
/* 230 */ uint16_t unk5; /* 1 - comp count ?? */
|
2009-07-14 16:57:05 +02:00
|
|
|
/* 232 */ uint32_t insttype_off;
|
|
|
|
|
/* 234 */ uint16_t zero4;
|
|
|
|
|
/* 238 */ uint32_t zero5;
|
|
|
|
|
/* 23c */ uint32_t unk7; /* 0xd0 - 208 */
|
|
|
|
|
/* 240 */ uint16_t unk8;
|
|
|
|
|
/* 242 */ uint32_t unk9;
|
2018-12-03 12:40:13 -05:00
|
|
|
/* 246 */ uint32_t unk10;
|
2009-07-14 16:57:05 +02:00
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
|
|
|
|
struct IS_FILEITEM {
|
|
|
|
|
uint16_t flags; /* 0 = EXTERNAL | 4 = INTERNAL | 8 = NAME_fuckup_rare | c = name_fuckup_common */
|
|
|
|
|
uint64_t size;
|
|
|
|
|
uint64_t csize;
|
|
|
|
|
uint64_t stream_off;
|
|
|
|
|
uint8_t md5[16];
|
|
|
|
|
uint64_t versioninfo_id;
|
|
|
|
|
uint32_t zero1;
|
|
|
|
|
uint32_t zero2;
|
|
|
|
|
uint32_t str_name_off;
|
|
|
|
|
uint16_t dir_id;
|
2018-12-03 12:40:13 -05:00
|
|
|
uint32_t unk13; /* 0, 20, 21 ??? */
|
|
|
|
|
uint32_t unk14; /* timestamp ??? */
|
|
|
|
|
uint32_t unk15; /* begins with 1 then 2 but not the cab# ??? */
|
2009-07-14 16:57:05 +02:00
|
|
|
uint32_t prev_dup_id; /* msvcrt #38(0, 97, 2) #97(38, 1181, 3) ... , 0, 1) */
|
|
|
|
|
uint32_t next_dup_id;
|
|
|
|
|
uint8_t flag_has_dup; /* HAS_NEXT = 2 | HAS_BOTH = 3 | HAS_PREV = 1 */
|
|
|
|
|
uint16_t datafile_id;
|
|
|
|
|
} __attribute__((packed));
|
|
|
|
|
|
2009-07-13 12:59:49 +02:00
|
|
|
#ifdef HAVE_PRAGMA_PACK
|
|
|
|
|
#pragma pack()
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_PRAGMA_PACK_HPPA
|
|
|
|
|
#pragma pack
|
|
|
|
|
#endif
|
|
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
static cl_error_t is_dump_and_scan(cli_ctx *ctx, off_t off, size_t fsize);
|
2018-12-03 12:40:13 -05:00
|
|
|
static const uint8_t skey[] = {0xec, 0xca, 0x79, 0xf8}; /* ~0x13, ~0x35, ~0x86, ~0x07 */
|
2009-07-13 12:59:49 +02:00
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
/* Extracts the content of MSI based IS */
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t cli_scanishield_msi(cli_ctx *ctx, off_t off)
|
2018-12-03 12:40:13 -05:00
|
|
|
{
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t ret;
|
2012-01-05 14:16:09 +02:00
|
|
|
const uint8_t *buf;
|
2009-07-13 12:35:19 +02:00
|
|
|
unsigned int fcount, scanned = 0;
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │  └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
|   └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │  └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │  └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │   └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │  └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │  └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │  └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
|   └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │  └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
|   └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
fmap_t *map = ctx->fmap;
|
2009-07-13 02:37:16 +02:00
|
|
|
|
|
|
|
|
cli_dbgmsg("in ishield-msi\n");
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(buf = fmap_need_off_once(map, off, 0x20))) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: short read for header\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-13 02:37:16 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2009-09-05 20:16:10 +02:00
|
|
|
off += 0x20;
|
2022-08-09 16:38:09 -07:00
|
|
|
if (cli_readint32(buf + 8) | cli_readint32(buf + 0xc) | cli_readint32(buf + 0x10) | cli_readint32(buf + 0x14) | cli_readint32(buf + 0x18) | cli_readint32(buf + 0x1c)) {
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(fcount = cli_readint32(buf))) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: no files?\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-13 02:37:16 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (fcount--) {
|
|
|
|
|
struct IS_FB fb;
|
|
|
|
|
uint8_t obuf[BUFSIZ], *key = (uint8_t *)&fb.fname;
|
2020-03-19 21:23:54 -04:00
|
|
|
char *filename = NULL;
|
2018-12-03 12:40:13 -05:00
|
|
|
char *tempfile;
|
|
|
|
|
unsigned int i, lameidx = 0, keylen;
|
|
|
|
|
int ofd;
|
|
|
|
|
uint64_t csize;
|
|
|
|
|
z_stream z;
|
|
|
|
|
|
|
|
|
|
if (fmap_readn(map, &fb, off, sizeof(fb)) != sizeof(fb)) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: short read for fileblock\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
off += sizeof(fb);
|
|
|
|
|
fb.fname[sizeof(fb.fname) - 1] = '\0';
|
2022-08-09 16:38:09 -07:00
|
|
|
|
|
|
|
|
csize = le64_to_host(fb.csize);
|
2021-10-28 16:58:21 -07:00
|
|
|
if (!CLI_ISCONTAINED_0_TO(map->len, off, csize)) {
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("ishield-msi: next stream is out of file, giving up\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (ctx->engine->maxfilesize && csize > ctx->engine->maxfilesize) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: skipping stream due to size limits (%lu vs %lu)\n", (unsigned long int)csize, (unsigned long int)ctx->engine->maxfilesize);
|
|
|
|
|
off += csize;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
keylen = strlen((const char *)key);
|
2022-08-09 16:38:09 -07:00
|
|
|
if (!keylen) {
|
|
|
|
|
return CL_SUCCESS;
|
|
|
|
|
}
|
2020-03-19 21:23:54 -04:00
|
|
|
|
2024-01-09 17:44:33 -05:00
|
|
|
filename = cli_safer_strdup((const char *)key);
|
2020-03-19 21:23:54 -04:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
/* FIXMEISHIELD: cleanup the spam below */
|
|
|
|
|
cli_dbgmsg("ishield-msi: File %s (csize: %llx, unk1:%x unk2:%x unk3:%x unk4:%x unk5:%x unk6:%x unk7:%x unk8:%x unk9:%x unk10:%x unk11:%x)\n", key, (long long)csize, fb.unk1, fb.unk2, fb.unk3, fb.unk4, fb.unk5, fb.unk6, fb.unk7, fb.unk8, fb.unk9, fb.unk10, fb.unk11);
|
libclamav: Add engine option to toggle temp directory recursion
Temp directory recursion in ClamAV is when each layer of a scan gets its
own temp directory in the parent layer's temp directory.
In addition to temp directory recursion, ClamAV has been creating a new
subdirectory for each file scan as a risk-adverse method to ensure
no temporary file leaks fill up the disk.
Creating a directory is relatively slow on Windows in particular if
scanning a lot of very small files.
This commit:
1. Separates the temp directory recursion feature from the leave-temps
feature so that libclamav can leave temp files without making
subdirectories for each file scanned.
2. Makes it so that when temp directory recursion is off, libclamav
will just use the configure temp directory for all files.
The new option to enable temp directory recursion is for libclamav-only
at this time. It is off by default, and you can enable it like this:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
For the `clamscan` and `clamd` programs, temp directory recursion will
be enabled when `--leave-temps` / `LeaveTemporaryFiles` is enabled.
The difference is that when disabled, it will return to using the
configured temp directory without making a subdirectory for each file
scanned, so as to improve scan performance for small files, mostly on
Windows.
Under the hood, this commit also:
1. Cleans up how we keep track of tmpdirs for each layer.
The goal here is to align how we keep track of layer-specific stuff
using the scan_layer structure.
2. Cleans up how we record metadata JSON for embedded files.
Note: Embedded files being different from Contained files, as they
are extracted not with a parser, but by finding them with
file type magic signatures.
CLAM-1583
2025-06-09 20:42:31 -04:00
|
|
|
if (!(tempfile = cli_gentemp(ctx->this_layer_tmpdir))) {
|
2020-07-15 08:39:32 -07:00
|
|
|
if (NULL != filename) {
|
|
|
|
|
free(filename);
|
|
|
|
|
}
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ofd = open(tempfile, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR)) < 0) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: failed to create file %s\n", tempfile);
|
|
|
|
|
free(tempfile);
|
2020-04-08 16:04:20 -04:00
|
|
|
if (NULL != filename) {
|
|
|
|
|
free(filename);
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
return CL_ECREAT;
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
for (i = 0; i < keylen; i++) {
|
2018-12-03 12:40:13 -05:00
|
|
|
key[i] ^= skey[i & 3];
|
2022-08-09 16:38:09 -07:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
memset(&z, 0, sizeof(z));
|
|
|
|
|
inflateInit(&z);
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
ret = CL_SUCCESS;
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (csize) {
|
|
|
|
|
uint8_t buf2[BUFSIZ];
|
|
|
|
|
z.avail_in = MIN(csize, sizeof(buf2));
|
2019-05-04 15:54:54 -04:00
|
|
|
if (fmap_readn(map, buf2, off, z.avail_in) != z.avail_in) {
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("ishield-msi: premature EOS or read fail\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
off += z.avail_in;
|
|
|
|
|
for (i = 0; i < z.avail_in; i++, lameidx++) {
|
|
|
|
|
uint8_t c = buf2[i];
|
|
|
|
|
c = (c >> 4) | (c << 4);
|
|
|
|
|
c ^= key[(lameidx & 0x3ff) % keylen];
|
|
|
|
|
buf2[i] = c;
|
|
|
|
|
}
|
|
|
|
|
csize -= z.avail_in;
|
|
|
|
|
z.next_in = buf2;
|
|
|
|
|
do {
|
|
|
|
|
int inf;
|
|
|
|
|
z.avail_out = sizeof(obuf);
|
|
|
|
|
z.next_out = obuf;
|
|
|
|
|
inf = inflate(&z, 0);
|
|
|
|
|
if (inf != Z_OK && inf != Z_STREAM_END && inf != Z_BUF_ERROR) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: bad stream\n");
|
|
|
|
|
csize = 0;
|
|
|
|
|
off += csize;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2019-05-04 15:54:54 -04:00
|
|
|
if (cli_writen(ofd, obuf, sizeof(obuf) - z.avail_out) == (size_t)-1) {
|
2018-12-03 12:40:13 -05:00
|
|
|
ret = CL_EWRITE;
|
|
|
|
|
csize = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (ctx->engine->maxfilesize && z.total_out > ctx->engine->maxfilesize) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: trimming output file due to size limits (%lu vs %lu)\n", z.total_out, (unsigned long int)ctx->engine->maxfilesize);
|
|
|
|
|
off += csize;
|
|
|
|
|
csize = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} while (!z.avail_out);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
inflateEnd(&z);
|
|
|
|
|
|
|
|
|
|
if (ret == CL_SUCCESS) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: extracted to %s\n", tempfile);
|
|
|
|
|
|
|
|
|
|
if (lseek(ofd, 0, SEEK_SET) == -1) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: call to lseek() failed\n");
|
|
|
|
|
ret = CL_ESEEK;
|
|
|
|
|
}
|
2022-03-09 22:26:40 -08:00
|
|
|
ret = cli_magic_scan_desc(ofd, tempfile, ctx, filename, LAYER_ATTRIBUTES_NONE);
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
|
|
|
|
close(ofd);
|
|
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
if (!ctx->engine->keeptmp) {
|
|
|
|
|
if (cli_unlink(tempfile)) {
|
|
|
|
|
ret = CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
free(tempfile);
|
|
|
|
|
|
2020-03-19 21:23:54 -04:00
|
|
|
if (NULL != filename) {
|
|
|
|
|
free(filename);
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
if (ret != CL_SUCCESS) {
|
2018-12-03 12:40:13 -05:00
|
|
|
return ret;
|
2022-08-09 16:38:09 -07:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
scanned++;
|
|
|
|
|
if (ctx->engine->maxfiles && scanned >= ctx->engine->maxfiles) {
|
|
|
|
|
cli_dbgmsg("ishield-msi: File limit reached (max: %u)\n", ctx->engine->maxfiles);
|
|
|
|
|
return CL_EMAXFILES;
|
2013-02-28 19:32:29 -05:00
|
|
|
}
|
2009-07-13 02:37:16 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-13 02:37:16 +02:00
|
|
|
}
|
2009-07-14 09:36:36 +02:00
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
struct IS_CABSTUFF {
|
2009-07-14 12:39:21 +02:00
|
|
|
struct CABARRAY {
|
2018-12-03 12:40:13 -05:00
|
|
|
unsigned int cabno;
|
|
|
|
|
off_t off;
|
|
|
|
|
size_t sz;
|
2024-01-09 19:41:17 -05:00
|
|
|
} *cabs;
|
2009-07-14 12:39:21 +02:00
|
|
|
off_t hdr;
|
|
|
|
|
size_t hdrsz;
|
|
|
|
|
unsigned int cabcnt;
|
|
|
|
|
};
|
|
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
static void md5str(uint8_t *sum);
|
2022-08-09 16:38:09 -07:00
|
|
|
static cl_error_t is_parse_hdr(cli_ctx *ctx, struct IS_CABSTUFF *c);
|
|
|
|
|
static cl_error_t is_extract_cab(cli_ctx *ctx, uint64_t off, uint64_t size, uint64_t csize);
|
2009-07-14 09:36:36 +02:00
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
/* Extract the content of older (non-MSI) IS */
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t cli_scanishield(cli_ctx *ctx, off_t off, size_t sz)
|
2018-12-03 12:40:13 -05:00
|
|
|
{
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t ret = CL_SUCCESS;
|
2012-01-05 14:16:09 +02:00
|
|
|
const char *fname, *path, *version, *strsz, *data;
|
|
|
|
|
char *eostr;
|
2009-07-14 12:39:21 +02:00
|
|
|
long fsize;
|
2018-12-03 12:40:13 -05:00
|
|
|
off_t coff = off;
|
|
|
|
|
struct IS_CABSTUFF c = {NULL, -1, 0, 0};
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │  └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
|   └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │  └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │  └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │   └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │  └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │  └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │  └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
|   └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │  └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
|   └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
fmap_t *map = ctx->fmap;
|
2018-12-03 12:40:13 -05:00
|
|
|
unsigned fc = 0;
|
|
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
while (ret == CL_SUCCESS) {
|
2018-12-03 12:40:13 -05:00
|
|
|
fname = fmap_need_offstr(map, coff, 2048);
|
|
|
|
|
if (!fname) break;
|
|
|
|
|
coff += strlen(fname) + 1;
|
|
|
|
|
|
|
|
|
|
path = fmap_need_offstr(map, coff, 2048);
|
|
|
|
|
if (!path) break;
|
|
|
|
|
coff += strlen(path) + 1;
|
|
|
|
|
|
|
|
|
|
version = fmap_need_offstr(map, coff, 2048);
|
|
|
|
|
if (!version) break;
|
|
|
|
|
coff += strlen(version) + 1;
|
|
|
|
|
|
|
|
|
|
strsz = fmap_need_offstr(map, coff, 2048);
|
|
|
|
|
if (!strsz) break;
|
|
|
|
|
coff += strlen(strsz) + 1;
|
|
|
|
|
|
|
|
|
|
data = &strsz[strlen(strsz) + 1];
|
|
|
|
|
|
|
|
|
|
fsize = strtol(strsz, &eostr, 10);
|
|
|
|
|
if (fsize < 0 || fsize == LONG_MAX ||
|
|
|
|
|
!*strsz || !eostr || eostr == strsz || *eostr ||
|
|
|
|
|
(unsigned long)fsize >= sz ||
|
|
|
|
|
(size_t)(data - fname) >= sz - fsize) break;
|
|
|
|
|
|
|
|
|
|
cli_dbgmsg("ishield: @%lx found file %s (%s) - version %s - size %lu\n", (unsigned long int)coff, fname, path, version, (unsigned long int)fsize);
|
2023-11-07 23:00:30 -05:00
|
|
|
if (CL_SUCCESS != cli_matchmeta(ctx, fname, fsize, fsize, 0, fc++, 0)) {
|
2022-08-09 16:38:09 -07:00
|
|
|
ret = CL_VIRUS;
|
|
|
|
|
break;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
sz -= (data - fname) + fsize;
|
|
|
|
|
|
|
|
|
|
if (!strncasecmp(fname, "data", 4)) {
|
|
|
|
|
long cabno;
|
|
|
|
|
if (!strcasecmp(fname + 4, "1.hdr")) {
|
|
|
|
|
if (c.hdr == -1) {
|
|
|
|
|
cli_dbgmsg("ishield: added data1.hdr to array\n");
|
|
|
|
|
c.hdr = coff;
|
|
|
|
|
c.hdrsz = fsize;
|
|
|
|
|
coff += fsize;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
cli_warnmsg("ishield: got multiple header files\n");
|
|
|
|
|
}
|
|
|
|
|
cabno = strtol(fname + 4, &eostr, 10);
|
|
|
|
|
if (cabno > 0 && cabno < 65536 && fname[4] && eostr && eostr != &fname[4] && !strcasecmp(eostr, ".cab")) {
|
|
|
|
|
unsigned int i;
|
|
|
|
|
for (i = 0; i < c.cabcnt && i != c.cabs[i].cabno; i++) {
|
|
|
|
|
}
|
|
|
|
|
if (i == c.cabcnt) {
|
|
|
|
|
c.cabcnt++;
|
2024-01-09 17:44:33 -05:00
|
|
|
if (!(c.cabs = cli_max_realloc_or_free(c.cabs, sizeof(struct CABARRAY) * c.cabcnt))) {
|
2018-12-03 12:40:13 -05:00
|
|
|
ret = CL_EMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
cli_dbgmsg("ishield: added data%lu.cab to array\n", cabno);
|
|
|
|
|
c.cabs[i].cabno = cabno;
|
|
|
|
|
c.cabs[i].off = coff;
|
|
|
|
|
c.cabs[i].sz = fsize;
|
|
|
|
|
coff += fsize;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
cli_warnmsg("ishield: got multiple data%lu.cab files\n", cabno);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fmap_unneed_ptr(map, fname, data - fname);
|
|
|
|
|
ret = is_dump_and_scan(ctx, coff, fsize);
|
|
|
|
|
coff += fsize;
|
2009-07-14 12:39:21 +02:00
|
|
|
}
|
2009-07-14 09:36:36 +02:00
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
if ((ret == CL_SUCCESS) &&
|
|
|
|
|
(c.cabcnt || c.hdr != -1)) {
|
|
|
|
|
|
|
|
|
|
if (CL_SUCCESS == (ret = is_parse_hdr(ctx, &c))) {
|
2018-12-03 12:40:13 -05:00
|
|
|
unsigned int i;
|
|
|
|
|
if (c.hdr != -1) {
|
|
|
|
|
cli_dbgmsg("ishield: scanning data1.hdr\n");
|
|
|
|
|
ret = is_dump_and_scan(ctx, c.hdr, c.hdrsz);
|
|
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
for (i = 0; i < c.cabcnt && ret == CL_SUCCESS; i++) {
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("ishield: scanning data%u.cab\n", c.cabs[i].cabno);
|
|
|
|
|
ret = is_dump_and_scan(ctx, c.cabs[i].off, c.cabs[i].sz);
|
|
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
|
|
|
|
} else if (ret == CL_BREAK) {
|
|
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (c.cabs) {
|
|
|
|
|
free(c.cabs);
|
2009-07-14 09:36:36 +02:00
|
|
|
}
|
2016-06-08 16:25:34 -04:00
|
|
|
|
2009-07-14 23:00:29 +02:00
|
|
|
return ret;
|
2009-07-14 09:36:36 +02:00
|
|
|
}
|
2009-07-14 12:39:21 +02:00
|
|
|
|
2009-07-14 16:57:05 +02:00
|
|
|
/* Utility func to scan a fd @ a given offset and size */
|
2022-08-09 16:38:09 -07:00
|
|
|
static cl_error_t is_dump_and_scan(cli_ctx *ctx, off_t off, size_t fsize)
|
2018-12-03 12:40:13 -05:00
|
|
|
{
|
2012-01-05 14:16:09 +02:00
|
|
|
char *fname;
|
|
|
|
|
const char *buf;
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t ofd, ret = CL_SUCCESS;
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │  └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
|   └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │  └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │  └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │   └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │  └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │  └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │  └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
|   └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │  └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
|   └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
fmap_t *map = ctx->fmap;
|
2009-07-14 12:39:21 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!fsize) {
|
|
|
|
|
cli_dbgmsg("ishield: skipping empty file\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-14 12:39:21 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
libclamav: Add engine option to toggle temp directory recursion
Temp directory recursion in ClamAV is when each layer of a scan gets its
own temp directory in the parent layer's temp directory.
In addition to temp directory recursion, ClamAV has been creating a new
subdirectory for each file scan as a risk-adverse method to ensure
no temporary file leaks fill up the disk.
Creating a directory is relatively slow on Windows in particular if
scanning a lot of very small files.
This commit:
1. Separates the temp directory recursion feature from the leave-temps
feature so that libclamav can leave temp files without making
subdirectories for each file scanned.
2. Makes it so that when temp directory recursion is off, libclamav
will just use the configure temp directory for all files.
The new option to enable temp directory recursion is for libclamav-only
at this time. It is off by default, and you can enable it like this:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
For the `clamscan` and `clamd` programs, temp directory recursion will
be enabled when `--leave-temps` / `LeaveTemporaryFiles` is enabled.
The difference is that when disabled, it will return to using the
configured temp directory without making a subdirectory for each file
scanned, so as to improve scan performance for small files, mostly on
Windows.
Under the hood, this commit also:
1. Cleans up how we keep track of tmpdirs for each layer.
The goal here is to align how we keep track of layer-specific stuff
using the scan_layer structure.
2. Cleans up how we record metadata JSON for embedded files.
Note: Embedded files being different from Contained files, as they
are extracted not with a parser, but by finding them with
file type magic signatures.
CLAM-1583
2025-06-09 20:42:31 -04:00
|
|
|
if (!(fname = cli_gentemp(ctx->this_layer_tmpdir))) {
|
2018-12-03 12:40:13 -05:00
|
|
|
return CL_EMEM;
|
2022-08-09 16:38:09 -07:00
|
|
|
}
|
2009-07-14 12:39:21 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ofd = open(fname, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR)) < 0) {
|
|
|
|
|
cli_errmsg("ishield: failed to create file %s\n", fname);
|
|
|
|
|
free(fname);
|
|
|
|
|
return CL_ECREAT;
|
2009-07-14 12:39:21 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (fsize) {
|
|
|
|
|
size_t rd = MIN(fsize, map->pgsz);
|
|
|
|
|
if (!(buf = fmap_need_off_once(map, off, rd))) {
|
|
|
|
|
cli_dbgmsg("ishield: read error\n");
|
|
|
|
|
ret = CL_EREAD;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2019-05-04 15:54:54 -04:00
|
|
|
if (cli_writen(ofd, buf, rd) != rd) {
|
2018-12-03 12:40:13 -05:00
|
|
|
ret = CL_EWRITE;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
fsize -= rd;
|
|
|
|
|
off += rd;
|
2013-02-28 19:32:29 -05:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!fsize) {
|
|
|
|
|
cli_dbgmsg("ishield: extracted to %s\n", fname);
|
|
|
|
|
if (lseek(ofd, 0, SEEK_SET) == -1) {
|
|
|
|
|
cli_dbgmsg("ishield: call to lseek() failed\n");
|
|
|
|
|
ret = CL_ESEEK;
|
|
|
|
|
}
|
2022-03-09 22:26:40 -08:00
|
|
|
ret = cli_magic_scan_desc(ofd, fname, ctx, NULL, LAYER_ATTRIBUTES_NONE);
|
2009-07-14 12:39:21 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2009-07-14 12:39:21 +02:00
|
|
|
close(ofd);
|
2022-08-09 16:38:09 -07:00
|
|
|
|
|
|
|
|
if (!ctx->engine->keeptmp) {
|
|
|
|
|
if (cli_unlink(fname)) {
|
|
|
|
|
ret = CL_EUNLINK;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-07-14 12:39:21 +02:00
|
|
|
free(fname);
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2009-07-14 16:57:05 +02:00
|
|
|
|
2009-07-14 23:00:29 +02:00
|
|
|
/* Process data1.hdr and extracts all the available files from dataX.cab */
|
2022-08-09 16:38:09 -07:00
|
|
|
static cl_error_t is_parse_hdr(cli_ctx *ctx, struct IS_CABSTUFF *c)
|
2018-12-03 12:40:13 -05:00
|
|
|
{
|
2009-07-14 16:57:05 +02:00
|
|
|
uint32_t h1_data_off, objs_files_cnt, objs_dirs_off;
|
2009-07-14 23:00:29 +02:00
|
|
|
unsigned int off, i, scanned = 0;
|
|
|
|
|
int ret = CL_BREAK;
|
2009-08-22 16:31:14 +02:00
|
|
|
char hash[33], *hdr;
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │  └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
|   └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │  └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │  └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │   └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │  └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │  └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │  └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
|   └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │  └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
|   └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
fmap_t *map = ctx->fmap;
|
2009-07-14 16:57:05 +02:00
|
|
|
|
2012-01-05 14:16:09 +02:00
|
|
|
const struct IS_HDR *h1;
|
2009-07-14 16:57:05 +02:00
|
|
|
struct IS_OBJECTS *objs;
|
|
|
|
|
/* struct IS_INSTTYPEHDR *typehdr; -- UNUSED */
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!c->hdr || !c->hdrsz || !c->cabcnt) {
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: inconsistent hdr, maybe a false match\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-14 23:00:29 +02:00
|
|
|
}
|
2009-07-14 16:57:05 +02:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!(h1 = fmap_need_off(map, c->hdr, c->hdrsz))) {
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: not enough room for H1\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
hdr = (char *)h1;
|
2009-07-14 16:57:05 +02:00
|
|
|
h1_data_off = le32_to_host(h1->data_off);
|
2018-12-03 12:40:13 -05:00
|
|
|
objs = (struct IS_OBJECTS *)fmap_need_ptr(map, hdr + h1_data_off, sizeof(*objs));
|
|
|
|
|
if (!objs) {
|
2009-09-05 20:16:10 +02:00
|
|
|
cli_dbgmsg("is_parse_hdr: not enough room for OBJECTS\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
|
|
|
|
|
2009-07-14 23:00:29 +02:00
|
|
|
cli_dbgmsg("is_parse_hdr: magic %x, unk1 %x, unk2 %x, data_off %x, data_sz %x\n",
|
2009-09-05 20:16:10 +02:00
|
|
|
h1->magic, h1->unk1, h1->unk2, h1_data_off, h1->data_sz);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (le32_to_host(h1->magic) != 0x28635349) {
|
2009-09-05 20:16:10 +02:00
|
|
|
cli_dbgmsg("is_parse_hdr: bad magic. wrong version?\n");
|
2022-08-09 16:38:09 -07:00
|
|
|
return CL_SUCCESS;
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
|
|
|
|
|
2009-08-23 21:21:13 +02:00
|
|
|
fmap_unneed_ptr(map, h1, sizeof(*h1));
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
/* cli_errmsg("COMPONENTS\n"); */
|
|
|
|
|
/* off = le32_to_host(objs->comps_off) + h1_data_off; */
|
|
|
|
|
/* for(i=1; ; i++) { */
|
|
|
|
|
/* struct IS_COMPONENT *cmp = (struct IS_COMPONENT *)(hdr + off); */
|
|
|
|
|
/* if(!CLI_ISCONTAINED(hdr, c->hdrsz, ((char *)cmp), sizeof(*cmp))) { */
|
|
|
|
|
/* cli_dbgmsg("is_extract: not enough room for COMPONENT\n"); */
|
|
|
|
|
/* free(hdr); */
|
2022-08-09 16:38:09 -07:00
|
|
|
/* return CL_SUCCESS; */
|
2018-12-03 12:40:13 -05:00
|
|
|
/* } */
|
|
|
|
|
/* cli_errmsg("%06u\t%s\n", i, &hdr[le32_to_host(cmp->str_name_off) + h1_data_off]); */
|
|
|
|
|
/* spam_strarray(hdr, h1_data_off + cmp->sub_comp_offs_array, h1_data_off, cmp->sub_comp_cnt); */
|
|
|
|
|
/* if(!cmp->next_comp_off) break; */
|
|
|
|
|
/* off = le32_to_host(cmp->next_comp_off) + h1_data_off; */
|
|
|
|
|
/* } */
|
|
|
|
|
|
|
|
|
|
/* cli_errmsg("DIRECTORIES (%u)", le32_to_host(objs->dirs_cnt)); */
|
2009-07-14 16:57:05 +02:00
|
|
|
objs_dirs_off = le32_to_host(objs->dirs_off);
|
2018-12-03 12:40:13 -05:00
|
|
|
/* spam_strarray(hdr, h1_data_off + objs_dirs_off, h1_data_off + objs_dirs_off, objs->dirs_cnt); */
|
|
|
|
|
|
|
|
|
|
/* typehdr = (struct INSTTYPEHDR *)&hdr[h1_data_off + le32_to_host(objs->insttype_off)]; */
|
|
|
|
|
/* printf("INSTTYPES (unk1: %d)\n-----------\n", typehdr->unk1); */
|
|
|
|
|
/* off = typehdr->off + h1_data_off; */
|
|
|
|
|
/* for(i=1; i<=typehdr->cnt; i++) { */
|
|
|
|
|
/* uint32_t x = *(uint32_t *)(&hdr[off]); */
|
|
|
|
|
/* struct INSTTYPEITEM *item = (struct INSTTYPEITEM *)&hdr[x + h1_data_off]; */
|
|
|
|
|
/* printf("%06u\t%s\t aka %s\taka %s\n", i, &hdr[item->str_name1_off + h1_data_off], &hdr[item->str_name2_off + h1_data_off], &hdr[item->str_name3_off + h1_data_off]); */
|
|
|
|
|
/* printf("components:\n"); */
|
|
|
|
|
/* spam_strarray(hdr, h1_data_off + item->off, h1_data_off, item->cnt); */
|
|
|
|
|
/* off+=4; */
|
|
|
|
|
/* } */
|
|
|
|
|
|
|
|
|
|
/* dir = &hdr[*(uint32_t *)(&hdr[h1_data_off + objs_dirs_off + 4 * file->dir_id]) + h1_data_off + objs_dirs_off] */
|
2009-07-14 16:57:05 +02:00
|
|
|
|
|
|
|
|
objs_files_cnt = le32_to_host(objs->files_cnt);
|
2018-12-03 12:40:13 -05:00
|
|
|
off = h1_data_off + objs_dirs_off + le32_to_host(objs->dir_sz2);
|
2009-08-23 21:21:13 +02:00
|
|
|
fmap_unneed_ptr(map, objs, sizeof(*objs));
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 0; i < objs_files_cnt; i++) {
|
|
|
|
|
struct IS_FILEITEM *file = (struct IS_FILEITEM *)fmap_need_off(map, c->hdr + off, sizeof(*file));
|
|
|
|
|
|
|
|
|
|
if (file) {
|
|
|
|
|
const char *emptyname = "", *dir_name = emptyname, *file_name = emptyname;
|
|
|
|
|
uint32_t dir_rel = h1_data_off + objs_dirs_off + 4 * le32_to_host(file->dir_id); /* rel off of dir entry from array of rel ptrs */
|
|
|
|
|
uint32_t file_rel = objs_dirs_off + h1_data_off + le32_to_host(file->str_name_off); /* rel off of fname */
|
|
|
|
|
uint64_t file_stream_off, file_size, file_csize;
|
|
|
|
|
uint16_t cabno;
|
|
|
|
|
|
|
|
|
|
memcpy(hash, file->md5, 16);
|
|
|
|
|
md5str((uint8_t *)hash);
|
|
|
|
|
if (fmap_need_ptr_once(map, &hdr[dir_rel], 4)) {
|
|
|
|
|
dir_rel = cli_readint32(&hdr[dir_rel]) + h1_data_off + objs_dirs_off;
|
|
|
|
|
if (fmap_need_str(map, &hdr[dir_rel], c->hdrsz - dir_rel))
|
|
|
|
|
dir_name = &hdr[dir_rel];
|
|
|
|
|
}
|
|
|
|
|
if (fmap_need_str(map, &hdr[file_rel], c->hdrsz - file_rel))
|
|
|
|
|
file_name = &hdr[file_rel];
|
|
|
|
|
|
|
|
|
|
file_stream_off = le64_to_host(file->stream_off);
|
|
|
|
|
file_size = le64_to_host(file->size);
|
|
|
|
|
file_csize = le64_to_host(file->csize);
|
|
|
|
|
cabno = le16_to_host(file->datafile_id);
|
|
|
|
|
|
|
|
|
|
switch (le16_to_host(file->flags)) {
|
|
|
|
|
case 0:
|
|
|
|
|
/* FIXMEISHIELD: for FS scan ? */
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: skipped external file:%s\\%s (size: %llu csize: %llu md5:%s)\n",
|
|
|
|
|
dir_name,
|
|
|
|
|
file_name,
|
|
|
|
|
(long long)file_size, (long long)file_csize, hash);
|
|
|
|
|
break;
|
|
|
|
|
case 4:
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: file %s\\%s (size: %llu csize: %llu md5:%s offset:%llx (data%u.cab) 13:%x 14:%x 15:%x)\n",
|
|
|
|
|
dir_name,
|
|
|
|
|
file_name,
|
|
|
|
|
(long long)file_size, (long long)file_csize, hash, (long long)file_stream_off,
|
|
|
|
|
cabno, file->unk13, file->unk14, file->unk15);
|
|
|
|
|
if (file->flag_has_dup & 1)
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: not scanned (dup)\n");
|
|
|
|
|
else {
|
|
|
|
|
if (file_size) {
|
|
|
|
|
unsigned int j;
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t cabret = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
|
|
|
|
|
if (ctx->engine->maxfilesize && file_csize > ctx->engine->maxfilesize) {
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: skipping file due to size limits (%lu vs %lu)\n", (unsigned long int)file_csize, (unsigned long int)ctx->engine->maxfilesize);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (j = 0; j < c->cabcnt && c->cabs[j].cabno != cabno; j++) {
|
|
|
|
|
}
|
|
|
|
|
if (j != c->cabcnt) {
|
|
|
|
|
if (CLI_ISCONTAINED(c->cabs[j].off, c->cabs[j].sz, file_stream_off + c->cabs[j].off, file_csize)) {
|
|
|
|
|
scanned++;
|
|
|
|
|
if (ctx->engine->maxfiles && scanned >= ctx->engine->maxfiles) {
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: File limit reached (max: %u)\n", ctx->engine->maxfiles);
|
|
|
|
|
if (file_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)file_name, strlen(file_name) + 1);
|
|
|
|
|
if (dir_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)dir_name, strlen(dir_name) + 1);
|
|
|
|
|
return CL_EMAXFILES;
|
|
|
|
|
}
|
|
|
|
|
cabret = is_extract_cab(ctx, file_stream_off + c->cabs[j].off, file_size, file_csize);
|
|
|
|
|
} else {
|
2022-08-09 16:38:09 -07:00
|
|
|
ret = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("is_parse_hdr: stream out of file\n");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2022-08-09 16:38:09 -07:00
|
|
|
ret = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("is_parse_hdr: data%u.cab not available\n", cabno);
|
|
|
|
|
}
|
|
|
|
|
if (cabret == CL_BREAK) {
|
2022-08-09 16:38:09 -07:00
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
cabret = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
}
|
2022-08-09 16:38:09 -07:00
|
|
|
if (cabret != CL_SUCCESS) {
|
2018-12-03 12:40:13 -05:00
|
|
|
if (file_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)file_name, strlen(file_name) + 1);
|
|
|
|
|
if (dir_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)dir_name, strlen(dir_name) + 1);
|
|
|
|
|
return cabret;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: skipped empty file\n");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
cli_dbgmsg("is_parse_hdr: skipped unknown file entry %u\n", i);
|
|
|
|
|
}
|
|
|
|
|
if (file_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)file_name, strlen(file_name) + 1);
|
|
|
|
|
if (dir_name != emptyname)
|
|
|
|
|
fmap_unneed_ptr(map, (void *)dir_name, strlen(dir_name) + 1);
|
|
|
|
|
fmap_unneed_ptr(map, file, sizeof(*file));
|
|
|
|
|
} else {
|
2022-08-09 16:38:09 -07:00
|
|
|
ret = CL_SUCCESS;
|
2018-12-03 12:40:13 -05:00
|
|
|
cli_dbgmsg("is_parse_hdr: FILEITEM out of bounds\n");
|
|
|
|
|
}
|
|
|
|
|
off += sizeof(*file);
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
2009-07-14 23:00:29 +02:00
|
|
|
return ret;
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
static void md5str(uint8_t *sum)
|
|
|
|
|
{
|
2009-07-14 16:57:05 +02:00
|
|
|
int i;
|
2018-12-03 12:40:13 -05:00
|
|
|
for (i = 15; i >= 0; i--) {
|
|
|
|
|
uint8_t lo = (sum[i] & 0xf), hi = (sum[i] >> 4);
|
|
|
|
|
lo += '0' + (lo > 9) * '\'';
|
|
|
|
|
hi += '0' + (hi > 9) * '\'';
|
|
|
|
|
sum[i * 2 + 1] = lo;
|
|
|
|
|
sum[i * 2] = hi;
|
2009-07-14 16:57:05 +02:00
|
|
|
}
|
|
|
|
|
sum[32] = '\0';
|
|
|
|
|
}
|
2009-07-14 19:42:27 +02:00
|
|
|
|
|
|
|
|
#define IS_CABBUFSZ 65536
|
|
|
|
|
|
2022-08-09 16:38:09 -07:00
|
|
|
static cl_error_t is_extract_cab(cli_ctx *ctx, uint64_t off, uint64_t size, uint64_t csize)
|
2018-12-03 12:40:13 -05:00
|
|
|
{
|
2022-08-09 16:38:09 -07:00
|
|
|
cl_error_t ret = CL_SUCCESS;
|
2012-01-05 14:16:09 +02:00
|
|
|
const uint8_t *inbuf;
|
|
|
|
|
uint8_t *outbuf;
|
2009-07-14 19:42:27 +02:00
|
|
|
char *tempfile;
|
2022-08-09 16:38:09 -07:00
|
|
|
int ofd;
|
2009-07-14 19:42:27 +02:00
|
|
|
z_stream z;
|
|
|
|
|
uint64_t outsz = 0;
|
2018-12-03 12:40:13 -05:00
|
|
|
int success = 0;
|
libclamav: Fix scan recursion tracking
Scan recursion is the process of identifying files embedded in other
files and then scanning them, recursively.
Internally this process is more complex than it may sound because a file
may have multiple layers of types before finding a new "file".
At present we treat the recursion count in the scanning context as an
index into both our fmap list AND our container list. These two lists
are conceptually a part of the same thing and should be unified.
But what's concerning is that the "recursion level" isn't actually
incremented or decremented at the same time that we add a layer to the
fmap or container lists but instead is more touchy-feely, increasing
when we find a new "file".
To account for this shadiness, the size of the fmap and container lists
has always been a little longer than our "max scan recursion" limit so
we don't accidentally overflow the fmap or container arrays (!).
I've implemented a single recursion-stack as an array, similar to before,
which includes a pointer to each fmap at each layer, along with the size
and type. Push and pop functions add and remove layers whenever a new
fmap is added. A boolean argument when pushing indicates if the new layer
represents a new buffer or new file (descriptor). A new buffer will reset
the "nested fmap level" (described below).
This commit also provides a solution for an issue where we detect
embedded files more than once during scan recursion.
For illustration, imagine a tarball named foo.tar.gz with this structure:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
But suppose baz.exe embeds a ZIP archive and a 7Z archive, like this:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| baz.exe | PE | 0 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| │  └── hello.txt | ASCII | 2 | 0 |
| └── sfx.7z | 7Z | 1 | 1 |
|   └── world.txt | ASCII | 2 | 0 |
(A) If we scan for embedded files at any layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| ├── foo.tar | TAR | 1 | 0 |
| │ ├── bar.zip | ZIP | 2 | 1 |
| │ │  └── hola.txt | ASCII | 3 | 0 |
| │ ├── baz.exe | PE | 2 | 1 |
| │ │ ├── sfx.zip | ZIP | 3 | 1 |
| │ │ │  └── hello.txt | ASCII | 4 | 0 |
| │ │ └── sfx.7z | 7Z | 3 | 1 |
| │ │   └── world.txt | ASCII | 4 | 0 |
| │ ├── sfx.zip | ZIP | 2 | 1 |
| │ │  └── hello.txt | ASCII | 3 | 0 |
| │ └── sfx.7z | 7Z | 2 | 1 |
| │  └── world.txt | ASCII | 3 | 0 |
| ├── sfx.zip | ZIP | 1 | 1 |
| └── sfx.7z | 7Z | 1 | 1 |
(A) is bad because it scans content more than once.
Note that for the GZ layer, it may detect the ZIP and 7Z if the
signature hits on the compressed data, which it might, though
extracting the ZIP and 7Z will likely fail.
The reason the above doesn't happen now is that we restrict embedded
type scans for a bunch of archive formats to include GZ and TAR.
(B) If we scan for embedded files at the foo.tar layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| ├── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 2 | 1 |
| │  └── hello.txt | ASCII | 3 | 0 |
| └── sfx.7z | 7Z | 2 | 1 |
|   └── world.txt | ASCII | 3 | 0 |
(B) is almost right. But we can achieve it easily enough only scanning for
embedded content in the current fmap when the "nested fmap level" is 0.
The upside is that it should safely detect all embedded content, even if
it may think the sfz.zip and sfx.7z are in foo.tar instead of in baz.exe.
The biggest risk I can think of affects ZIPs. SFXZIP detection
is identical to ZIP detection, which is why we don't allow SFXZIP to be
detected if insize of a ZIP. If we only allow embedded type scanning at
fmap-layer 0 in each buffer, this will fail to detect the embedded ZIP
if the bar.exe was not compressed in foo.zip and if non-compressed files
extracted from ZIPs aren't extracted as new buffers:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.zip | ZIP | 0 | 0 |
| └── bar.exe | PE | 1 | 1 |
| └── sfx.zip | ZIP | 2 | 2 |
Provided that we ensure all files extracted from zips are scanned in
new buffers, option (B) should be safe.
(C) If we scan for embedded files at the baz.exe layer, we may detect:
| description | type | rec level | nested fmap level |
| ------------------------- | ----- | --------- | ----------------- |
| foo.tar.gz | GZ | 0 | 0 |
| └── foo.tar | TAR | 1 | 0 |
| ├── bar.zip | ZIP | 2 | 1 |
| │  └── hola.txt | ASCII | 3 | 0 |
| └── baz.exe | PE | 2 | 1 |
| ├── sfx.zip | ZIP | 3 | 1 |
| │  └── hello.txt | ASCII | 4 | 0 |
| └── sfx.7z | 7Z | 3 | 1 |
|   └── world.txt | ASCII | 4 | 0 |
(C) is right. But it's harder to achieve. For this example we can get it by
restricting 7ZSFX and ZIPSFX detection only when scanning an executable.
But that may mean losing detection of archives embedded elsewhere.
And we'd have to identify allowable container types for each possible
embedded type, which would be very difficult.
So this commit aims to solve the issue the (B)-way.
Note that in all situations, we still have to scan with file typing
enabled to determine if we need to reassign the current file type, such
as re-identifying a Bzip2 archive as a DMG that happens to be Bzip2-
compressed. Detection of DMG and a handful of other types rely on
finding data partway through or near the ned of a file before
reassigning the entire file as the new type.
Other fixes and considerations in this commit:
- The utf16 HTML parser has weak error handling, particularly with respect
to creating a nested fmap for scanning the ascii decoded file.
This commit cleans up the error handling and wraps the nested scan with
the recursion-stack push()/pop() for correct recursion tracking.
Before this commit, each container layer had a flag to indicate if the
container layer is valid.
We need something similar so that the cli_recursion_stack_get_*()
functions ignore normalized layers. Details...
Imagine an LDB signature for HTML content that specifies a ZIP
container. If the signature actually alerts on the normalized HTML and
you don't ignore normalized layers for the container check, it will
appear as though the alert is in an HTML container rather than a ZIP
container.
This commit accomplishes this with a boolean you set in the scan context
before scanning a new layer. Then when the new fmap is created, it will
use that flag to set similar flag for the layer. The context flag is
reset those that anything after this doesn't have that flag.
The flag allows the new recursion_stack_get() function to ignore
normalized layers when iterating the stack to return a layer at a
requested index, negative or positive.
Scanning normalized extracted/normalized javascript and VBA should also
use the 'layer is normalized' flag.
- This commit also fixes Heuristic.Broken.Executable alert for ELF files
to make sure that:
A) these only alert if cli_append_virus() returns CL_VIRUS (aka it
respects the FP check).
B) all broken-executable alerts for ELF only happen if the
SCAN_HEURISTIC_BROKEN option is enabled.
- This commit also cleans up the error handling in cli_magic_scan_dir().
This was needed so we could correctly apply the layer-is-normalized-flag
to all VBA macros extracted to a directory when scanning the directory.
- Also fix an issue where exceeding scan maximums wouldn't cause embedded
file detection scans to abort. Granted we don't actually want to abort
if max filesize or max recursion depth are exceeded... only if max
scansize, max files, and max scantime are exceeded.
Add 'abort_scan' flag to scan context, to protect against depending on
correct error propagation for fatal conditions. Instead, setting this
flag in the scan context should guarantee that a fatal condition deep in
scan recursion isn't lost which result in more stuff being scanned
instead of aborting. This shouldn't be necessary, but some status codes
like CL_ETIMEOUT never used to be fatal and it's easier to do this than
to verify every parser only returns CL_ETIMEOUT and other "fatal
status codes" in fatal conditions.
- Remove duplicate is_tar() prototype from filestypes.c and include
is_tar.h instead.
- Presently we create the fmap hash when creating the fmap.
This wastes a bit of CPU if the hash is never needed.
Now that we're creating fmap's for all embedded files discovered with
file type recognition scans, this is a much more frequent occurence and
really slows things down.
This commit fixes the issue by only creating fmap hashes as needed.
This should not only resolve the perfomance impact of creating fmap's
for all embedded files, but also should improve performance in general.
- Add allmatch check to the zip parser after the central-header meta
match. That way we don't multiple alerts with the same match except in
allmatch mode. Clean up error handling in the zip parser a tiny bit.
- Fixes to ensure that the scan limits such as scansize, filesize,
recursion depth, # of embedded files, and scantime are always reported
if AlertExceedsMax (--alert-exceeds-max) is enabled.
- Fixed an issue where non-fatal alerts for exceeding scan maximums may
mask signature matches later on. I changed it so these alerts use the
"possibly unwanted" alert-type and thus only alert if no other alerts
were found or if all-match or heuristic-precedence are enabled.
- Added the "Heuristics.Limits.Exceeded.*" events to the JSON metadata
when the --gen-json feature is enabled. These will show up once under
"ParseErrors" the first time a limit is exceeded. In the present
implementation, only one limits-exceeded events will be added, so as to
prevent a malicious or malformed sample from filling the JSON buffer
with millions of events and using a tonne of RAM.
2021-09-11 14:15:21 -07:00
|
|
|
fmap_t *map = ctx->fmap;
|
2009-07-14 19:42:27 +02:00
|
|
|
|
2022-05-08 14:59:09 -07:00
|
|
|
if (!(outbuf = malloc(IS_CABBUFSZ))) {
|
2013-03-01 13:51:15 -05:00
|
|
|
cli_errmsg("is_extract_cab: Unable to allocate memory for outbuf\n");
|
|
|
|
|
return CL_EMEM;
|
|
|
|
|
}
|
2009-09-05 18:01:27 +02:00
|
|
|
|
libclamav: Add engine option to toggle temp directory recursion
Temp directory recursion in ClamAV is when each layer of a scan gets its
own temp directory in the parent layer's temp directory.
In addition to temp directory recursion, ClamAV has been creating a new
subdirectory for each file scan as a risk-adverse method to ensure
no temporary file leaks fill up the disk.
Creating a directory is relatively slow on Windows in particular if
scanning a lot of very small files.
This commit:
1. Separates the temp directory recursion feature from the leave-temps
feature so that libclamav can leave temp files without making
subdirectories for each file scanned.
2. Makes it so that when temp directory recursion is off, libclamav
will just use the configure temp directory for all files.
The new option to enable temp directory recursion is for libclamav-only
at this time. It is off by default, and you can enable it like this:
```c
cl_engine_set_num(engine, CL_ENGINE_TMPDIR_RECURSION, 1);
```
For the `clamscan` and `clamd` programs, temp directory recursion will
be enabled when `--leave-temps` / `LeaveTemporaryFiles` is enabled.
The difference is that when disabled, it will return to using the
configured temp directory without making a subdirectory for each file
scanned, so as to improve scan performance for small files, mostly on
Windows.
Under the hood, this commit also:
1. Cleans up how we keep track of tmpdirs for each layer.
The goal here is to align how we keep track of layer-specific stuff
using the scan_layer structure.
2. Cleans up how we record metadata JSON for embedded files.
Note: Embedded files being different from Contained files, as they
are extracted not with a parser, but by finding them with
file type magic signatures.
CLAM-1583
2025-06-09 20:42:31 -04:00
|
|
|
if (!(tempfile = cli_gentemp(ctx->this_layer_tmpdir))) {
|
2018-12-03 12:40:13 -05:00
|
|
|
free(outbuf);
|
|
|
|
|
return CL_EMEM;
|
2009-07-15 12:34:50 +02:00
|
|
|
}
|
2018-12-03 12:40:13 -05:00
|
|
|
if ((ofd = open(tempfile, O_RDWR | O_CREAT | O_TRUNC | O_BINARY, S_IRUSR | S_IWUSR)) < 0) {
|
|
|
|
|
cli_errmsg("is_extract_cab: failed to create file %s\n", tempfile);
|
|
|
|
|
free(tempfile);
|
|
|
|
|
free(outbuf);
|
|
|
|
|
return CL_ECREAT;
|
2009-07-14 19:42:27 +02:00
|
|
|
}
|
|
|
|
|
|
2018-12-03 12:40:13 -05:00
|
|
|
while (csize) {
|
|
|
|
|
uint16_t chunksz;
|
|
|
|
|
success = 0;
|
|
|
|
|
if (csize < 2) {
|
|
|
|
|
cli_dbgmsg("is_extract_cab: no room for chunk size\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
csize -= 2;
|
|
|
|
|
if (!(inbuf = fmap_need_off_once(map, off, 2))) {
|
|
|
|
|
cli_dbgmsg("is_extract_cab: short read for chunk size\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
off += 2;
|
|
|
|
|
chunksz = inbuf[0] | (inbuf[1] << 8);
|
|
|
|
|
if (!chunksz) {
|
|
|
|
|
cli_dbgmsg("is_extract_cab: zero sized chunk\n");
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (csize < chunksz) {
|
|
|
|
|
cli_dbgmsg("is_extract_cab: chunk is bigger than csize\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
csize -= chunksz;
|
|
|
|
|
if (!(inbuf = fmap_need_off_once(map, off, chunksz))) {
|
|
|
|
|
cli_dbgmsg("is_extract_cab: short read for chunk\n");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
off += chunksz;
|
|
|
|
|
memset(&z, 0, sizeof(z));
|
|
|
|
|
inflateInit2(&z, -MAX_WBITS);
|
|
|
|
|
z.next_in = (uint8_t *)inbuf;
|
|
|
|
|
z.avail_in = chunksz;
|
|
|
|
|
while (1) {
|
|
|
|
|
int zret;
|
|
|
|
|
z.next_out = outbuf;
|
|
|
|
|
z.avail_out = IS_CABBUFSZ;
|
|
|
|
|
zret = inflate(&z, 0);
|
|
|
|
|
if (zret == Z_OK || zret == Z_STREAM_END || zret == Z_BUF_ERROR) {
|
|
|
|
|
unsigned int umpd = IS_CABBUFSZ - z.avail_out;
|
2021-01-23 16:41:41 -08:00
|
|
|
if (cli_writen(ofd, outbuf, umpd) != umpd)
|
2018-12-03 12:40:13 -05:00
|
|
|
break;
|
|
|
|
|
outsz += umpd;
|
|
|
|
|
if (zret == Z_STREAM_END || z.avail_out == IS_CABBUFSZ /* FIXMEISHIELD: is the latter ok? */) {
|
|
|
|
|
success = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (ctx->engine->maxfilesize && z.total_out > ctx->engine->maxfilesize) {
|
|
|
|
|
cli_dbgmsg("ishield_extract_cab: trimming output file due to size limits (%lu vs %lu)\n", z.total_out, (unsigned long int)ctx->engine->maxfilesize);
|
|
|
|
|
success = 1;
|
|
|
|
|
outsz = size;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
cli_dbgmsg("is_extract_cab: file decompression failed with %d\n", zret);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
inflateEnd(&z);
|
|
|
|
|
if (!success) break;
|
2009-07-14 19:42:27 +02:00
|
|
|
}
|
2009-07-15 12:34:50 +02:00
|
|
|
free(outbuf);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (success) {
|
|
|
|
|
if (outsz != size)
|
|
|
|
|
cli_dbgmsg("is_extract_cab: extracted %llu bytes to %s, expected %llu, scanning anyway.\n", (long long)outsz, tempfile, (long long)size);
|
|
|
|
|
else
|
|
|
|
|
cli_dbgmsg("is_extract_cab: extracted to %s\n", tempfile);
|
|
|
|
|
if (lseek(ofd, 0, SEEK_SET) == -1)
|
|
|
|
|
cli_dbgmsg("is_extract_cab: call to lseek() failed\n");
|
2022-03-09 22:26:40 -08:00
|
|
|
ret = cli_magic_scan_desc(ofd, tempfile, ctx, NULL, LAYER_ATTRIBUTES_NONE);
|
2009-07-14 19:42:27 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
close(ofd);
|
2018-12-03 12:40:13 -05:00
|
|
|
if (!ctx->engine->keeptmp)
|
|
|
|
|
if (cli_unlink(tempfile)) ret = CL_EUNLINK;
|
2009-07-14 19:42:27 +02:00
|
|
|
free(tempfile);
|
2009-07-14 23:00:29 +02:00
|
|
|
return success ? ret : CL_BREAK;
|
2009-07-14 19:42:27 +02:00
|
|
|
}
|