[Bug 1883857] Re: Not supported "uint32be" condition in yara rules

Fri, 26 Mar 2021 04:11:09 -0700 

I'm sorry for not answer in time:

I'm using the yara rules to block malware on the SMTP server within
spamassassin and clamd

These rules have the non supported uint32be

Regards,

rule packager_cve2017_11882 {
   meta:
      author = "Rich Warren"
      description = "Attempts to exploit CVE-2017-11882 using Packager"
      reference = 
"https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py";
      score = 60
   strings:
      $font = { 30 61 30 31 30 38 35 61  35 61 }
      $equation = { 45 71 75 61 74 69 6F 6E 2E 33 }
      $package = { 50 61 63 6b 61 67 65 }
      $header_and_shellcode = /03010[0,1][0-9a-fA-F]{108}00/ ascii nocase
   condition:
      uint32be(0) == 0x7B5C7274 // RTF header
      and all of them
}

rule CVE_2017_11882_RTF {
   meta:
      description = "Detects suspicious Microsoft Equation OLE contents as used 
in CVE-2017-11882"
      license = "https://creativecommons.org/licenses/by-nc/4.0/";
      author = "Florian Roth"
      reference = "Internal Research"
      date = "2018-02-13"
      score = 60
   strings:
      $x1 = "4d534854412e4558452068747470" /* MSHTA.EXE http */
      $x2 = "6d736874612e6578652068747470" /* mshta.exe http */
      $x3 = "6d736874612068747470" /* mshta http */
      $x4 = "4d534854412068747470" /* MSHTA http */

      $s1 = "4d6963726f736f6674204571756174696f6e20332e30" ascii /* Microsoft 
Equation 3.0 */
      $s2 = "4500710075006100740069006f006e0020004e00610074006900760065" ascii 
/* Equation Native */
      $s3 = "2e687461000000000000000000000000000000000000000000000" /* .hta 
.... */
   condition:
      ( uint32be(0) == 0x7B5C7274 or uint32be(0) == 0x7B5C2A5C ) /* RTF */
      and filesize < 300KB and
      ( 1 of ($x*) or 2 of them )
}

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11882

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883857

Title:
  Not supported "uint32be" condition in yara rules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1883857/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to