Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. ClamAV>
  3. devel
Multipart form data virus file detection
pkopensrc at gmail
Aug 18, 2015, 11:24 AM
Post #1 of 3 (1667 views)
Permalink
Hi Guys,


I see when a virus file is uploaded as multipart/formdata its not detected
properly by ClamAv. If its not multipart/formdata it works properly.

I see few windows servers uploads file using multipart.

Any idea or pointer why it doesn't work with multipart/forms?

md5sum exploit.pdf
a3e8a7602797c69f6320225e8137d063 exploit.pdf

I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
Windows server and its not detected by ClamAv Antivirus.

*I tried with detect-pua also and it didn't worked for me*.

It works fine with curl and other software. *Maybe we have to handle
separately for windows server*.

*Below is output of virus file to clamav: *

Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="destination"





*/AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
filename="exploit.pdf"Content-Type: application/force-download*
%PDF-1.1
1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>
endobj
4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
endobj
5 0 obj
<< /Type /Action /S /JavaScript /JS (
VIRUS DATA .....................
...........................................

spray_heap();
trigger_bug();

) >>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000096 00000 n
0000000145 00000 n
0000000205 00000 n
0000000279 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1787
%%EOF
-----------------------------21154944191352840482619583850
Content-Disposition: form-data;
name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"

on
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="__spText1"


-----------------------------2115494419135284048261958385
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Multipart form data virus file detection [ In reply to ]
bperry.volatile at gmail
Aug 18, 2015, 11:40 AM
Post #2 of 3 (1632 views)
Permalink
Comments in line:


On Tue, Aug 18, 2015 at 1:24 PM, P K <pkopensrc@gmail.com> wrote:

> Hi Guys,
>
>
> I see when a virus file is uploaded as multipart/formdata its not detected
> properly by ClamAv. If its not multipart/formdata it works properly.
>
> I see few windows servers uploads file using multipart.
>
> Any idea or pointer why it doesn't work with multipart/forms?
>
> md5sum exploit.pdf
> a3e8a7602797c69f6320225e8137d063 exploit.pdf
>
> I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
> Windows server and its not detected by ClamAv Antivirus.
>
> *I tried with detect-pua also and it didn't worked for me*.
>
> It works fine with curl and other software. *Maybe we have to handle
> separately for windows server*.
>


What is the curl command you are running where it works?



>
> *Below is output of virus file to clamav: *
>
> Content-Disposition: form-data; name="__EVENTVALIDATION"
>
> /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="destination"
>
>
>
>
>
>
> */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
> form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
> filename="exploit.pdf"Content-Type: application/force-download*
> %PDF-1.1
> 1 0 obj
> << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
> endobj
> 2 0 obj
> << /Type /Outlines /Count 0 >>
> endobj
> 3 0 obj
> << /Type /Pages /Kids [4 0 R] /Count 1 >>
> endobj
> 4 0 obj
> << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
> endobj
> 5 0 obj
> << /Type /Action /S /JavaScript /JS (
> VIRUS DATA .....................
> ...........................................
>
> spray_heap();
> trigger_bug();
>
> ) >>
> endobj
> xref
> 0 6
> 0000000000 65535 f
> 0000000010 00000 n
> 0000000096 00000 n
> 0000000145 00000 n
> 0000000205 00000 n
> 0000000279 00000 n
> trailer
> << /Size 6 /Root 1 0 R >>
> startxref
> 1787
> %%EOF
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data;
> name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
>
> on
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="__spText1"
>
>
> -----------------------------2115494419135284048261958385
>

Detection of PDF viruses likely depend on the body of the request being a
pure PDF document, not a multipart form with a PDF in one of the parts.
This is totally dependent on the way the signature was written.


> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>



--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml
Re: Multipart form data virus file detection [ In reply to ]
smorgan at sourcefire
Aug 19, 2015, 8:53 AM
Post #3 of 3 (1626 views)
Permalink
P K,

Please open a bugzilla ticket at bugzilla.clamav.net. Please attach the
original PDF file and the multipart document. I think there is only
multipart support for mail, but we can take a look at the files and see
what needs to be done.

Thanks!


On Tue, Aug 18, 2015 at 2:24 PM, P K <pkopensrc@gmail.com> wrote:

> Hi Guys,
>
>
> I see when a virus file is uploaded as multipart/formdata its not detected
> properly by ClamAv. If its not multipart/formdata it works properly.
>
> I see few windows servers uploads file using multipart.
>
> Any idea or pointer why it doesn't work with multipart/forms?
>
> md5sum exploit.pdf
> a3e8a7602797c69f6320225e8137d063 exploit.pdf
>
> I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
> Windows server and its not detected by ClamAv Antivirus.
>
> *I tried with detect-pua also and it didn't worked for me*.
>
> It works fine with curl and other software. *Maybe we have to handle
> separately for windows server*.
>
> *Below is output of virus file to clamav: *
>
> Content-Disposition: form-data; name="__EVENTVALIDATION"
>
> /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="destination"
>
>
>
>
>
>
> */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
> form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
> filename="exploit.pdf"Content-Type: application/force-download*
> %PDF-1.1
> 1 0 obj
> << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
> endobj
> 2 0 obj
> << /Type /Outlines /Count 0 >>
> endobj
> 3 0 obj
> << /Type /Pages /Kids [4 0 R] /Count 1 >>
> endobj
> 4 0 obj
> << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
> endobj
> 5 0 obj
> << /Type /Action /S /JavaScript /JS (
> VIRUS DATA .....................
> ...........................................
>
> spray_heap();
> trigger_bug();
>
> ) >>
> endobj
> xref
> 0 6
> 0000000000 65535 f
> 0000000010 00000 n
> 0000000096 00000 n
> 0000000145 00000 n
> 0000000205 00000 n
> 0000000279 00000 n
> trailer
> << /Size 6 /Root 1 0 R >>
> startxref
> 1787
> %%EOF
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data;
> name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
>
> on
> -----------------------------21154944191352840482619583850
> Content-Disposition: form-data; name="__spText1"
>
>
> -----------------------------2115494419135284048261958385
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net

http://www.clamav.net/contact.html#ml

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal