Hi Guys,
I see when a virus file is uploaded as multipart/formdata its not detected
properly by ClamAv. If its not multipart/formdata it works properly.
I see few windows servers uploads file using multipart.
Any idea or pointer why it doesn't work with multipart/forms?
md5sum exploit.pdf
a3e8a7602797c69f6320225e8137d063 exploit.pdf
I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
Windows server and its not detected by ClamAv Antivirus.
*I tried with detect-pua also and it didn't worked for me*.
It works fine with curl and other software. *Maybe we have to handle
separately for windows server*.
*Below is output of virus file to clamav: *
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="destination"
*/AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
filename="exploit.pdf"Content-Type: application/force-download*
%PDF-1.1
1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>
endobj
4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
endobj
5 0 obj
<< /Type /Action /S /JavaScript /JS (
VIRUS DATA .....................
...........................................
spray_heap();
trigger_bug();
) >>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000096 00000 n
0000000145 00000 n
0000000205 00000 n
0000000279 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1787
%%EOF
-----------------------------21154944191352840482619583850
Content-Disposition: form-data;
name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
on
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="__spText1"
-----------------------------2115494419135284048261958385
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml
I see when a virus file is uploaded as multipart/formdata its not detected
properly by ClamAv. If its not multipart/formdata it works properly.
I see few windows servers uploads file using multipart.
Any idea or pointer why it doesn't work with multipart/forms?
md5sum exploit.pdf
a3e8a7602797c69f6320225e8137d063 exploit.pdf
I was trying same exploit.pdf virus file (CVE-2009-4324) to upload in
Windows server and its not detected by ClamAv Antivirus.
*I tried with detect-pua also and it didn't worked for me*.
It works fine with curl and other software. *Maybe we have to handle
separately for windows server*.
*Below is output of virus file to clamav: *
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="destination"
*/AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
filename="exploit.pdf"Content-Type: application/force-download*
%PDF-1.1
1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>
endobj
4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
endobj
5 0 obj
<< /Type /Action /S /JavaScript /JS (
VIRUS DATA .....................
...........................................
spray_heap();
trigger_bug();
) >>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000096 00000 n
0000000145 00000 n
0000000205 00000 n
0000000279 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1787
%%EOF
-----------------------------21154944191352840482619583850
Content-Disposition: form-data;
name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
on
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="__spText1"
-----------------------------2115494419135284048261958385
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
http://www.clamav.net/contact.html#ml