Re: [clamav-users] MS Word Follina - CVE-2022-30190

Thu, 09 Jun 2022 06:51:23 -0700 

Actually, there are two so far, added pm June 2 and 7:

% sigtool -f CVE_2022_30190-|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2022_30190-9951234-1
TDB: Engine:96-255,Container:CL_TYPE_OOXML_WORD,Target:7
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships 
xmlns="http://schemas.openxmlformats.org/package/2006/relationships";>
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
targetmode="external"
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=9)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

VIRUS NAME: Win.Exploit.CVE_2022_30190-9951407-0
TDB: Engine:96-255,Container:CL_TYPE_OOXML_XL,Target:7
LOGICAL EXPRESSION: 0&1&2
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships 
xmlns="http://schemas.openxmlformats.org/package/2006/relationships";>
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
targetmode="external"
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NOCASE
 +-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=8)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

-Al-

> On Jun 9, 2022, at 5:16 AM, Vangelis Katsikaros via clamav-users 
> <clamav-users@lists.clamav.net> wrote:
> 
> Hi
> 
> I am not a security person so I apologize if the question sounds stupid. I'd 
> like to ask if there is a signature in the clamav DB to recognise Microsoft 
> word documents affected by the "Follina" - CVE-2022-30190 remote code 
> execution vulnerability.
> 
> Regards
> Vangelis
> _______________________________________________
> 
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
> 
> https://docs.clamav.net/#mailing-lists-and-chat


         
Powered by Mailbutler 
<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-variant-primary>
 - still your inbox, but smarter.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Reply via email to