Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for extracting attachments from OneNote section files #1048

Merged
merged 8 commits into from
Dec 11, 2023
Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
402 changes: 149 additions & 253 deletions Cargo.lock

Large diffs are not rendered by default.

7 changes: 7 additions & 0 deletions clamd/server-th.c
Original file line number Diff line number Diff line change
Expand Up @@ -1291,6 +1291,13 @@ int recvloop(int *socketds, unsigned nsockets, struct cl_engine *engine, unsigne
logg(LOGG_INFO, "HWP3 support disabled.\n");
}

if (optget(opts, "ScanOneNote")->enabled) {
logg(LOGG_INFO, "OneNote support enabled.\n");
options.parse |= CL_SCAN_PARSE_ONENOTE;
} else {
logg(LOGG_INFO, "OneNote support disabled.\n");
}

if (optget(opts, "PhishingScanURLs")->enabled) {
/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "PhishingAlwaysBlockCloak")->enabled) ||
Expand Down
1 change: 1 addition & 0 deletions clamscan/clamscan.c
Original file line number Diff line number Diff line change
Expand Up @@ -304,6 +304,7 @@ void help(void)
mprintf(LOGG_INFO, " --scan-html[=yes(*)/no] Scan HTML files\n");
mprintf(LOGG_INFO, " --scan-xmldocs[=yes(*)/no] Scan xml-based document files\n");
mprintf(LOGG_INFO, " --scan-hwp3[=yes(*)/no] Scan HWP3 files\n");
mprintf(LOGG_INFO, " --scan-onenote[=yes(*)/no] Scan OneNote files\n");
mprintf(LOGG_INFO, " --scan-archive[=yes(*)/no] Scan archive files (supported by libclamav)\n");
mprintf(LOGG_INFO, " --alert-broken[=yes/no(*)] Alert on broken executable files (PE & ELF)\n");
mprintf(LOGG_INFO, " --alert-broken-media[=yes/no(*)] Alert on broken graphics files (JPEG, TIFF, PNG, GIF)\n");
Expand Down
3 changes: 3 additions & 0 deletions clamscan/manager.c
Original file line number Diff line number Diff line change
Expand Up @@ -1552,6 +1552,9 @@ int scanmanager(const struct optstruct *opts)
if (optget(opts, "scan-hwp3")->enabled)
options.parse |= CL_SCAN_PARSE_HWP3;

if (optget(opts, "scan-onenote")->enabled)
options.parse |= CL_SCAN_PARSE_ONENOTE;

/* TODO: Remove deprecated option in a future feature release */
if ((optget(opts, "algorithmic-detection")->enabled) && /* && used due to default-yes for both options */
(optget(opts, "heuristic-alerts")->enabled)) {
Expand Down
2 changes: 2 additions & 0 deletions common/optparser.c
Original file line number Diff line number Diff line change
Expand Up @@ -434,6 +434,8 @@ const struct clam_option __clam_options[] = {

{"ScanHWP3", "scan-hwp3", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning HWP3 files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes"},

{"ScanOneNote", "scan-onenote", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option enables scanning OneNote files.\nIf you turn off this option, the original files will still be scanned, but\nwithout additional processing.", "yes"},

{"ScanArchive", "scan-archive", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Scan within archives and compressed files.\nIf you turn off this option, the original files will still be scanned, but\nwithout unpacking and additional processing.", "yes"},

{"ForceToDisk", "force-to-disk", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option causes memory or nested map scans to dump the content to disk.\nIf you turn on this option, more data is written to disk and is available\nwhen the leave-temps option is enabled at the cost of more disk writes.", "no"},
Expand Down
7 changes: 7 additions & 0 deletions docs/man/clamd.conf.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -479,6 +479,13 @@ If you turn off this option, the original files will still be scanned, but witho
.br
Default: yes
.TP
\fBScanOneNote BOOL\fR
This option enables scanning OneNote files.
.br
If you turn off this option, the original files will still be scanned, but without additional processing.
.br
Default: yes
.TP
\fBScanArchive BOOL\fR
Scan within archives and compressed files.
.br
Expand Down
6 changes: 6 additions & 0 deletions etc/clamd.conf.sample
Original file line number Diff line number Diff line change
Expand Up @@ -426,6 +426,12 @@ Example
# Default: yes
#ScanHWP3 yes

# This option enables scanning of OneNote files.
# If you turn off this option, the original files will still be scanned, but
# without additional processing.
# Default: yes
#ScanOneNote yes


##
## Mail files
Expand Down
1 change: 1 addition & 0 deletions libclamav/clamav.h
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,7 @@ struct cl_scan_options {
#define CL_SCAN_PARSE_OLE2 0x80
#define CL_SCAN_PARSE_HTML 0x100
#define CL_SCAN_PARSE_PE 0x200
#define CL_SCAN_PARSE_ONENOTE 0x400

/* heuristic alerting options */
#define CL_SCAN_HEURISTIC_BROKEN 0x2 /* alert on broken PE and broken ELF files */
Expand Down
1 change: 1 addition & 0 deletions libclamav/dconf.c
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ static struct dconf_module modules[] = {
{"DOCUMENT", "OOXML", DOC_CONF_OOXML, 1},
{"DOCUMENT", "MSPML", DOC_CONF_MSXML, 1},
{"DOCUMENT", "HWP", DOC_CONF_HWP, 1},
{"DOCUMENT", "ONENOTE", DOC_CONF_ONENOTE, 1},

{"MAIL", "MBOX", MAIL_CONF_MBOX, 1},
{"MAIL", "TNEF", MAIL_CONF_TNEF, 1},
Expand Down
1 change: 1 addition & 0 deletions libclamav/dconf.h
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ struct cli_dconf {
#define DOC_CONF_MSXML 0x80
#define DOC_CONF_OOXML 0x100
#define DOC_CONF_HWP 0x200
#define DOC_CONF_ONENOTE 0x400

/* Mail flags */
#define MAIL_CONF_MBOX 0x1
Expand Down
1 change: 1 addition & 0 deletions libclamav/filetypes.c
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,7 @@ static const struct ftmap_s {
{ "CL_TYPE_EGG", CL_TYPE_EGG },
{ "CL_TYPE_EGGSFX", CL_TYPE_EGGSFX },
{ "CL_TYPE_UDF", CL_TYPE_UDF },
{ "CL_TYPE_ONENOTE", CL_TYPE_ONENOTE },
{ NULL, CL_TYPE_IGNORED }
};
// clang-format on
Expand Down
1 change: 1 addition & 0 deletions libclamav/filetypes.h
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ typedef enum cli_file {
CL_TYPE_OOXML_HWP,
CL_TYPE_PS,
CL_TYPE_EGG,
CL_TYPE_ONENOTE,

/* Section for partition types */
CL_TYPE_PART_ANY, /* unknown partition type */
Expand Down
1 change: 1 addition & 0 deletions libclamav/filetypes_int.h
Original file line number Diff line number Diff line change
Expand Up @@ -204,5 +204,6 @@ static const char *ftypes_int[] = {
"0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS:81:121",
"1:*:377abcaf271c:7zip-SFX:CL_TYPE_ANY:CL_TYPE_7ZSFX:74",
"1:0:3c3f786d6c2076657273696f6e3d22312e3022{0-1024}70726f6769643d22576f72642e446f63756d656e74223f3e:Microsoft Word 2003 XML Document:CL_TYPE_ANY:CL_TYPE_XML_WORD:80",
"0:0:e4525c7b8cd8a74daeb15378d02996d3:Microsoft OneNote Document:CL_TYPE_ANY:CL_TYPE_ONENOTE:200",
NULL};
#endif
1 change: 1 addition & 0 deletions libclamav/libclamav.map
Original file line number Diff line number Diff line change
Expand Up @@ -292,6 +292,7 @@ CLAMAV_PRIVATE {
readdb_parse_ldb_subsignature;
fuzzy_hash_calculate_image;
ffierror_fmt;
cli_magic_scan_buff;

__cli_strcasestr;
__cli_strndup;
Expand Down
2 changes: 2 additions & 0 deletions libclamav/others.h
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ typedef struct recursion_level_tag {
} recursion_level_t;

typedef void *evidence_t;
typedef void *onedump_t;

/* internal clamav context */
typedef struct cli_ctx_tag {
Expand Down Expand Up @@ -568,6 +569,7 @@ extern LIBCLAMAV_EXPORT int have_rar;
#define SCAN_PARSE_OLE2 (ctx->options->parse & CL_SCAN_PARSE_OLE2)
#define SCAN_PARSE_HTML (ctx->options->parse & CL_SCAN_PARSE_HTML)
#define SCAN_PARSE_PE (ctx->options->parse & CL_SCAN_PARSE_PE)
#define SCAN_PARSE_ONENOTE (ctx->options->parse & CL_SCAN_PARSE_ONENOTE)

#define SCAN_HEURISTIC_BROKEN (ctx->options->heuristic & CL_SCAN_HEURISTIC_BROKEN)
#define SCAN_HEURISTIC_BROKEN_MEDIA (ctx->options->heuristic & CL_SCAN_HEURISTIC_BROKEN_MEDIA)
Expand Down
2 changes: 1 addition & 1 deletion libclamav/png.c
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ cl_error_t cli_parsepng(cli_ctx *ctx)
if (chunk_data_length > 0) {
ptr = (uint8_t *)fmap_need_off_once(map, offset, chunk_data_length);
if (NULL == ptr) {
cli_warnmsg("PNG: Unexpected early end-of-file.\n");
cli_dbgmsg("PNG: Unexpected early end-of-file.\n");
if (SCAN_HEURISTIC_BROKEN_MEDIA) {
status = cli_append_potentially_unwanted(ctx, "Heuristics.Broken.Media.PNG.EOFReadingChunk");
}
Expand Down
5 changes: 5 additions & 0 deletions libclamav/scanners.c
Original file line number Diff line number Diff line change
Expand Up @@ -4591,6 +4591,11 @@ cl_error_t cli_magic_scan(cli_ctx *ctx, cli_file_t type)
ret = cli_scanegg(ctx);
break;

case CL_TYPE_ONENOTE:
if (SCAN_PARSE_ONENOTE && (DCONF_ARCH & DOC_CONF_ONENOTE))
ret = scan_onenote(ctx);
break;

case CL_TYPE_OOXML_WORD:
case CL_TYPE_OOXML_PPT:
case CL_TYPE_OOXML_XL:
Expand Down
2 changes: 2 additions & 0 deletions libclamav_rust/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ base64 = "0.21.0"
sha1 = "0.10.5"
unicode-segmentation = "1.10.1"
bindgen = "0.65"
onenote_parser = { git = "https://github.com/Cisco-Talos/onenote.rs.git", branch = "CLAM-2329-new-from-slice" }
hex-literal = "0.4.1"

[lib]
crate-type = ["staticlib"]
Expand Down
6 changes: 5 additions & 1 deletion libclamav_rust/build.rs
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ const BINDGEN_FUNCTIONS: &[&str] = &[
"cli_versig2",
"cli_getdsig",
"cli_get_debug_flag",
"cli_magic_scan_buff",
];

// Generate bindings for these types (structs, enums):
Expand All @@ -61,6 +62,7 @@ const BINDGEN_TYPES: &[&str] = &[
"cli_ac_result",
"css_image_extractor_t",
"css_image_handle_t",
"onedump_t",
];

// Find the required functions and types in these headers:
Expand All @@ -70,6 +72,8 @@ const BINDGEN_HEADERS: &[&str] = &[
"../libclamav/others.h",
"../libclamav/dsig.h",
"../libclamav/htmlnorm.h",
"../libclamav/fmap.h",
"../libclamav/scanners.h",
];

// Find the required headers in these directories:
Expand Down Expand Up @@ -135,7 +139,7 @@ fn execute_bindgen() -> Result<(), &'static str> {
// Silence code-style warnings for generated bindings.
.raw_line("#![allow(non_snake_case, non_camel_case_types, non_upper_case_globals)]")
// Make the bindings pretty.
.rustfmt_bindings(true)
.formatter(bindgen::Formatter::Rustfmt)
// Disable the layout tests.
micahsnyder marked this conversation as resolved.
Show resolved Hide resolved
// We're committing to source control. Pointer width, integer size, etc
// are probably not the same when generated as when compiled.
Expand Down
1 change: 1 addition & 0 deletions libclamav_rust/cbindgen.toml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ include = [
"evidence::evidence_num_indicators_type",
"evidence::evidence_add_indicator",
"evidence::IndicatorType",
"scanners::scan_onenote",
]

# prefix = "CAPI_"
Expand Down
Loading
Loading