From 9757b0e85c8347838d2c2d329dbdf1ac44ba492e Mon Sep 17 00:00:00 2001 From: devttys0 <heffnercj@gmail.com> Date: Mon, 27 Oct 2014 15:27:19 -0400 Subject: [PATCH] Improved validation for multiple signatures --- src/magic/archives | 16 ++++++++++++++-- src/magic/compressed | 7 +++++-- src/magic/executables | 14 ++++++++------ src/magic/firmware | 35 +++++++++++++++++++++++------------ src/magic/images | 14 +++++++++++++- src/magic/sql | 2 +- 6 files changed, 64 insertions(+), 24 deletions(-) diff --git a/src/magic/archives b/src/magic/archives index 3a073f4..5760276 100644 --- a/src/magic/archives +++ b/src/magic/archives @@ -111,8 +111,20 @@ >7 byte >9 invalid os >7 byte <0 invalid os -# RAR archiver (Greg Roelofs, newt@uchicago.edu) -0 string Rar! RAR archive data +# RAR archiver (http://kthoom.googlecode.com/hg/docs/unrar.html) +0 string \x52\x61\x72\x21\x1A\x07\x00 RAR archive data, first volume type: +>9 ubyte <0x72 invalid +>9 ubyte >0x7B invalid +>9 ubyte 0x72 MARK_HEAD +>9 ubyte 0x73 MAIN_HEAD +>9 ubyte 0x74 FILE_HEAD +>9 ubyte 0x75 COMM_HEAD +>9 ubyte 0x76 AV_HEAD +>9 ubyte 0x77 SUB_HEAD +>9 ubyte 0x78 PROTECT_HEAD +>9 ubyte 0x79 SIGN_HEAD +>9 ubyte 0x7A NEWSUB_HEAD +>9 ubyte 0x7B ENDARC_HEAD # HPACK archiver (Peter Gutmann, pgut1@cs.aukuni.ac.nz) 0 string HPAK HPACK archive data diff --git a/src/magic/compressed b/src/magic/compressed index a20b6a4..c8bf075 100644 --- a/src/magic/compressed +++ b/src/magic/compressed @@ -55,8 +55,11 @@ >>17 byte =0x0E os: Win32 # lzip -0 string LZIP lzip compressed data ->4 byte x \b, version: %d +0 string LZIP lzip compressed data, +>4 ubyte 0 invalid +# Current version is still 1.x +>4 ubyte >4 invalid +>4 byte x version: %d # lrzip 0 string LRZI lrzip compressed data diff --git a/src/magic/executables b/src/magic/executables index d121b22..4eb37b9 100644 --- a/src/magic/executables +++ b/src/magic/executables @@ -337,12 +337,14 @@ # cisco: file(1) magic for cisco Systems routers # # Most cisco file-formats are covered by the generic elf code -0 string \x85\x01\x14 Cisco IOS microcode ->7 string >\0 ->>7 string x for "%s" -0 string \x85\x01\xcb Cisco IOS experimental microcode ->7 string >\0 ->>7 string x for "%s" +0 string \x85\x01\x14 Cisco IOS microcode, +>7 string x for "%s" +#>7 string >\0 +#>>7 string x for "%s" +0 string \x85\x01\xcb Cisco IOS experimental microcode, +>7 string x for "%s" +#>7 string >\0 +#>>7 string x for "%s" # EST flat binary format (which isn't, but anyway) # From: Mark Brown <broonie@sirena.org.uk> diff --git a/src/magic/firmware b/src/magic/firmware index b861526..c2b2a98 100644 --- a/src/magic/firmware +++ b/src/magic/firmware @@ -128,16 +128,19 @@ >4 beshort 0x2a05 image type: CCFG, >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, ->6 byte x header version: %d, +>6 byte x header version: %d, +>10 ubyte >12 invalid month +>12 ubyte >31 invalid day +>8 ubyte >3000 invalid year #month ->10 byte x created: %d/ +>10 byte x created: %d/ #day ->12 byte x \b%d/ +>12 byte x \b%d/ #year ->8 beshort x \b%d, ->16 belong x image size: %d bytes, ->22 byte x body checksum: 0x%X, ->23 byte x header checksum: 0x%X +>8 beshort x \b%d, +>16 belong x image size: %d bytes, +>22 byte x body checksum: 0x%X, +>23 byte x header checksum: 0x%X # Linksys WRT54GX ROME image 0 belong 0x59a0e842 Realtek firmware header, ROME bootloader, @@ -149,6 +152,9 @@ >4 beshort 0x6ce8 image type: DCFG, >4 beshort 0xc371 image type: LOG, >6 byte x header version: %d, +>10 ubyte >12 invalid month +>12 ubyte >31 invalid day +>8 ubyte >3000 invalid year #month >10 byte x created: %d/ #day @@ -234,8 +240,13 @@ # -------------------------------- # Microsoft Xbox data file formats -0 string XIP0 XIP, Microsoft Xbox data -0 string XTF0 XTF, Microsoft Xbox data +# http://home.comcast.net/~admiral_powerslave/filestructure.html +0 string XIP0 XIP, Microsoft Xbox data, +>12 lelong x total size: %d +>16 lelong !0 invalid +>24 lelong !0 invalid + +0 string XTF0\x00\x00\x00 XTF, Microsoft Xbox data #Windows CE Binary Image Data Format aka B000FF #More information on the format: @@ -308,7 +319,7 @@ #>0 string x "%s" # Firmware header used by some TV's -0 string FNIB ZBOOT firmware header, header size: 32 bytes, +0 string FNIB ZBOOT firmware header, header size: 32 bytes, >8 lelong x load address: 0x%.8X, >12 lelong x start address: 0x%.8X, >16 lelong x checksum: 0x%.8X, @@ -564,10 +575,10 @@ >18 string x loader version: "%.4s", -0 string ELSC LANCOM WWAN firmware, +0 string ELSC LANCOM WWAN firmware >4 ubyte 3 >>5 beshort 0 ->>7 string x "%s" +>>7 string x \b, "%s" 0 string ELSP LANCOM file entry >202 string @(RECENT_FIRMWARE)/ \b, file name: diff --git a/src/magic/images b/src/magic/images index 62dc949..2f60466 100644 --- a/src/magic/images +++ b/src/magic/images @@ -1,8 +1,20 @@ # Tag Image File Format, from Daniel Quinlan (quinlan@yggdrasil.com) # The second word of TIFF files is the TIFF version number, 42, which has # never changed. The TIFF specification recommends testing for it. -0 string MM\x00\x2a TIFF image data, big-endian +0 string MM\x00\x2a TIFF image data, big-endian, +>4 belong 0 invalid +>4 belong <0 invalid +# First image directory must begin on an even byte boundary +>4 belong &1 invalid +>4 belong >10000000 invalid +>4 belong x offset of first image directory: %d + 0 string II\x2a\x00 TIFF image data, little-endian +>4 lelong 0 invalid +>4 lelong <0 invalid +>4 lelong &1 invalid +>4 lelong >10000000 invalid +>4 lelong x offset of first image directory: %d # PNG [Portable Network Graphics, or "PNG's Not GIF"] images # (Greg Roelofs, newt@uchicago.edu) diff --git a/src/magic/sql b/src/magic/sql index 4ecddcc..fb2032a 100644 --- a/src/magic/sql +++ b/src/magic/sql @@ -25,7 +25,7 @@ >3 string <1 invalid >3 string >\11 invalid >3 byte x Version %d -0 string \376bin MySQL replication log +#0 string \376bin MySQL replication log #------------------------------------------------------------------------------ # iRiver H Series database file -- libgit2 0.26.0