Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Specially Crafted EXE Files May Bypass Virus Scanner #345

Closed
Sewer56 opened this issue Apr 10, 2024 · 2 comments
Closed

bug: Specially Crafted EXE Files May Bypass Virus Scanner #345

Sewer56 opened this issue Apr 10, 2024 · 2 comments
Labels
bug Something isn't working crate:services:autumn crates/services/autumn

Comments

@Sewer56
Copy link

Sewer56 commented Apr 10, 2024
edited
Loading

What happened?

Note: This is filed as a 'bug' rather than a security vulnerability because it's not in scope of the criteria set in SECURITY.md, as it requires client interaction to be dangerous.

Context

Currently the file server uses the mime type obtained from the tree_magic library to determine file type.

https://github.com/revoltchat/autumn/blob/d4f4f72678ec083169d23e5daf979bf188bf41fe/src/routes/upload.rs#L62-L68

And the audio mime types are blindly accepted.

https://github.com/revoltchat/autumn/blob/d4f4f72678ec083169d23e5daf979bf188bf41fe/src/routes/upload.rs#L215-L220

The tree_magic library used here uses the signatures from usr/share/mime/magic.

Problem

It's possible to manually craft an EXE that gets detected as a WAV file, and therefore be treated as an Audio file during upload.

Code:

// Load a file
let input: &[u8] = include_bytes!("hello.exe");

// Find the MIME type of the file
let result = tree_magic::from_u8(input);

// returns WAVE instead of EXE

Sample file: hello-world.zip

Just replace the file path in the code.

Cause

It's possible to alter the EXE header such that it's instead detected as a WAV file.

The modification is done at offset 0x8 of the file, by adding a WAVE text in ASCII, so the file is detected as audio/vnd.wave (audio/wav) rather than application/x-ms-ne-executable.

0:0000  4D 5A 90 00 03 00 00 00 57 41 56 45 FF FF 00 00  MZ........WAVE........

Due to the priorities either in tree_magic or the source magic file, the WAVE magic can take priority over the EXE Header. Thus the application sees it as a music track, and does not scan the file.

The modified EXE will still run, because we modified the DOS header, which is mostly ignored by Windows.
(I tested in Wine, and then on Win10)
@Sewer56 Sewer56 added the bug Something isn't working label Apr 10, 2024
@insertish
Copy link
Member

insertish commented Sep 6, 2024
edited
Loading

Autumn re-write uses infer crate which correctly identifies this file as an executable.

https://github.com/revoltchat/backend/blob/main/crates/services/autumn/src/mime_type.rs#L8

CleanShot 2024-09-06 at 12 04 32@2x

@insertish insertish transferred this issue from revoltchat/autumn Sep 29, 2024
@insertish insertish added the crate:services:autumn crates/services/autumn label Sep 29, 2024
@insertish insertish changed the title Bug: Specially Crafted EXE Files May Bypass Virus Scanner bug: Specially Crafted EXE Files May Bypass Virus Scanner Sep 29, 2024
@github-project-automation github-project-automation bot moved this from 🏗 In Progress to ✅ Done in Revolt Project Oct 2, 2024
@Sewer56
Copy link
Author

Sewer56 commented Oct 3, 2024

👏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working crate:services:autumn crates/services/autumn
Projects
Revolt Project
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sewer56 @insertish