First Last Prev Next    This bug is not in your last search results.
Bug 12235 - pwdb password not working on some zips
pwdb password not working on some zips
Status: RESOLVED DUPLICATE of bug 12219
Product: ClamAV
Classification: ClamAV
Component: libclamav
stable
x86_64 GNU/Linux
: P3 normal
: 0.101.0
Assigned To: ClamAV team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-12-11 08:28 EST by Steve Basford
Modified: 2019-02-06 11:36 EST (History)
1 user (show)

See Also:
QA Contact:

Attachments
7zip password as in example debug (924 bytes, application/octet-stream)
2018-12-11 08:28 EST, Steve Basford 		no flags Details
info zip password as in above example (1.02 KB, application/octet-stream)
2018-12-11 08:28 EST, Steve Basford 		no flags Details
test.pwdb as in example (59 bytes, application/octet-stream)
2018-12-11 08:29 EST, Steve Basford 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steve Basford 2018-12-11 08:28:04 EST 
Created attachment 7490 [details]
7zip password as in example debug

This is using ClamAV clamav-0.99.4

Create a test.pwdb test file:

PWDB.Entry.1;Engine:81-255,Container:CL_TYPE_ZIP;0;infected

Create zip with password infected: a.zip (using Info-ZIP)
Create zip with password infected: b.zip (using 7zip)

Clamscan --database=test.pwdb a.zip --debug

LibClamAV debug: Recognized ZIP file
LibClamAV debug: cache_check: 1cef62e51ab13662af840de8f19a2901 is negative
LibClamAV debug: in cli_unzip
LibClamAV debug: cli_unzip: central @3b5
LibClamAV debug: cli_unzip: ch - flags 9 - method 8 - csize 308 - usize 726 - flen a - elen 11 - clen 0 - disk 0 - off 0
LibClamAV debug: cli_unzip: ch - fname: index.html
LibClamAV debug: cli_unzip: lh - ZMDNAME:1:index.html:1830:776:101693bc:8:1:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:776:index.html:776:1830:1:1:269915068:00000000
LibClamAV debug: cli_unzip: lh - has data desc
LibClamAV debug: cli_unzip: decrypt - (v20) >> 0x00006053 0x4d8b6053 (moddate)
LibClamAV debug: cli_unzip: decrypt - password [PWDB.Entry.1] matches
LibClamAV debug: cli_unzip: decrypt - decrypted 764 bytes to C:\DOCUME~1\steveb\LOCALS~1\Temp\clamav-6d9c4fa33da49b4765446c0bb3776300.tmp\zip.decrypt.000
LibClamAV debug: cli_unzip: extracted to C:\DOCUME~1\steveb\LOCALS~1\Temp\clamav-6d9c4fa33da49b4765446c0bb3776300.tmp\zip.000
LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: Matched signature for file type HTML data at 167

So, as you can see the password matched fine.

Clamscan --database=test.pwdb b.zip --debug

LibClamAV debug: Recognized ZIP file
LibClamAV debug: cache_check: 019bb0ac73ff5d6ce06403667c6d84dc is negative
LibClamAV debug: in cli_unzip
LibClamAV debug: cli_unzip: central @32a
LibClamAV debug: cli_unzip: ch - flags 1 - method 8 - csize 302 - usize 726 - flen a - elen 24 - clen 0 - disk 0 - off 0
LibClamAV debug: cli_unzip: ch - fname: index.html
LibClamAV debug: cli_unzip: lh - ZMDNAME:1:index.html:1830:770:101693bc:8:1:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:770:index.html:770:1830:1:1:269915068:00000000
LibClamAV debug: cli_unzip: decrypt - (v20) >> 0x00001094 0x101693bc (crc32)
LibClamAV debug: cli_unzip: decrypt - skipping encrypted file, no valid passwords
LibClamAV debug: cli_unzip: ch - wrkcomplete
LibClamAV debug: cli_unzip: lh - ZMDNAME:1:index.html:1830:770:101693bc:8:1:1
LibClamAV debug: CDBNAME:CL_TYPE_ZIP:770:index.html:770:1830:1:1:269915068:00000000
LibClamAV debug: cli_unzip: decrypt - (v20) >> 0x00001094 0x101693bc (crc32)
LibClamAV debug: cli_unzip: decrypt - skipping encrypted file, no valid passwords
LibClamAV debug: cli_unzip: lh - wrkcomplete
LibClamAV debug: Matched signature for file type ZIP-SFX at 0

In the above case, no valid passwords are found... even though... the password is the same.....

7z e b.zip

Enter password (will not be echoed):
Everything is Ok

Size:       1830
Compressed: 924

Documents:

https://github.com/Cisco-Talos/clamav-devel/blob/288057e9d6b4938290d1c2134befc5d73ef71469/docs/UserManual/Signatures/EncryptedArchives.md
Comment 1 Steve Basford 2018-12-11 08:28:49 EST 
Created attachment 7491 [details]
info zip password as in above example
Comment 2 Steve Basford 2018-12-11 08:29:34 EST 
Created attachment 7492 [details]
test.pwdb as in example
Comment 3 Steve Basford 2018-12-11 08:51:45 EST 
Technical output of a.zip and b.zip


7-Zip 17.01 beta (x86) : Copyright (c) 1999-2017 Igor Pavlov : 2017-08-28

Scanning the drive for archives:
1 file, 1044 bytes (2 KiB)

Listing archive: a.zip

--
Path = a.zip
Type = zip
Physical Size = 1044

----------
Path = index.html
Folder = -
Size = 1830
Packed Size = 776
Modified = 2018-12-11 12:02:38
Created = 
Accessed = 
Attributes = A
Encrypted = +
Comment = 
CRC = 101693BC
Method = ZipCrypto Deflate
Characteristics = 0x4453 UT : Encrypt Descriptor
Host OS = FAT
Version = 20
Volume Index = 0
Offset = 0


7-Zip 17.01 beta (x86) : Copyright (c) 1999-2017 Igor Pavlov : 2017-08-28

Scanning the drive for archives:
1 file, 924 bytes (1 KiB)

Listing archive: b.zip

--
Path = b.zip
Type = zip
Physical Size = 924

----------
Path = index.html
Folder = -
Size = 1830
Packed Size = 770
Modified = 2018-12-11 12:02:38
Created = 2014-08-18 13:48:47
Accessed = 2018-04-30 10:57:28
Attributes = AI
Encrypted = +
Comment = 
CRC = 101693BC
Method = ZipCrypto Deflate
Characteristics = NTFS : Encrypt
Host OS = FAT
Version = 20
Volume Index = 0
Offset = 0
Comment 4 Micah Snyder 2019-02-06 11:36:19 EST 
Arnaud also found issues with the .pwdb database late last October.  There's good info in both tickets, so I'm marking this newer one as a duplicate.

*** This bug has been marked as a duplicate of bug 12219 ***
First Last Prev Next    This bug is not in your last search results.