InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

External filters not working

https://forums.informaction.com/viewtopic.php?t=11342

Page 1 of 1

External filters not working

Posted: Mon Dec 31, 2012 12:09 pm
by access2godzilla
It seems that NS has the ability to scan plugin content using an external utility. NS documentation all over the place mention of Blitzableiter, but then it is very old and probably abondoned, so I decided to write my own, with the help of this post ( http://forums.informaction.com/viewtopi ... 582#p38005 ).

(The configuration below is targeted towards Linux, however, a similar thing has been tried for Windows with the same filters ( http://forums.informaction.com/viewtopic.php?f=7&t=9990 ) with the same results as me.)

I downloaded the Avast4Linux scanner which contains a CLI scanner, which can be invoked as follows:

Code: Select all

avast [FILE]
Of course the antivirus doesn't act like Blitzableiter would, so I wrote a shell script that acts as a middleman within the script and avast scanner. The script accepts arguments in the following form:

Code: Select all

nsfilter.sh [INPUT_FILE] [OUTPUT_FILE]
The source is as below:

Code: Select all

#!/bin/bash

# This script acts as an interface between the antivirus and NS. This script is targeted at avast antivirus, however, if you use any other antivirus, please modify the later sections according to the values it returns. Avast returns 0 for clean file, 1-5 for infected files, and others for errors with the antivirus itself.

# Point filterpath to whereever the antivirus binary file lies.
filterpath=/usr/bin/avast

# Check if we have both parameters
if [ -z "$1" ] || [ -z "$2" ] ; then
	zenity --error --text "This script was invoked without proper parameters."
	exit 2
# Check if the input file is readable
elif [ ! -r "$1" ] ; then
	zenity --error --text "The file to be scanned is not readable."
	exit 3
fi

# Store the output and error code
# `-n' is avast specific, to tell it not to print statistics. Please remove this option if you use another antivirus.
report=`"$filterpath" -n "$1" &> /dev/stdout`
errorlevel=$?

# File is clean, and can be copied over.
if [ $errorlevel == 0 ] ; then
	# Enable the next line only to test if the script is working. During browsing, you don't want to be interfered with "clean file, will be loaded" messages.	
	# zenity --info --text "The plugin content was found to be clean and will be loaded."
	report=`cp "$1" "$2" &> /dev/stdout`
	# Handle file copying errors
	if [ $? != 0 ] ; then
		zenity --error --text "An error occured while copying the file\n\n$report"
		exit 4
	fi
	exit 0
# File is malicious, display warning to user
elif [ $errorlevel -gt 0 ] && [ $errorlevel -lt 6 ] ; then
	zenity --warning --text "The plugin content was found to be malicious and will not be loaded.\n\n$report"
	exit 1
# Error on the part of the antivirus or system setup
else
	zenity --error --text "The external filter returned an error:\n\n$report"
	exit 4
fi
Then I made it executable (scripts and programs you download or write/compile aren't executable by default, they have to be made executable):

Code: Select all

chmod +x ~/nsfilter.sh
While setting the external filter in NS, the settings were not applied immediately. I thought that the change would take place after a restart, so I restarted Firefox to apply the changes. Noscript still kept forgetting and I had to set the preference multiple number of times to get it working.

I did not set any exceptions. The MIMEtypes to be scanned are:

Code: Select all

shockwave|futuresplash|java|pdf
Now, to test whether it is working, I went to Youtube and tried to watch a video, and I found out that video content takes forever to load. Is it a bug in Noscript?

This is not a problem with the script or with the antivirus. I tested my script before using it as an external filter, with both malicious and non-malicious files, and it works correctly.

Or am I missing something?

Thanks in advance.

EDIT: I am using Ubuntu 10.04 and Firefox 17.0.1, despite whatever my UA says below.

[edited comments in the script to remove ambiguity]

Re: External filters not working

Posted: Mon Dec 31, 2012 12:45 pm
by Thrawn
Someone can correct me if I'm wrong, but I don't believe that the 'External Filters' feature is intended for virus scans. Blitzableiter is actually meant to interpret Flash files and recreate them in a canonical form, guaranteed not to cause buffer overruns and other such nasties. So, NoScript would be expecting your virus scanner to pass back a sanitised version of the Flash files that you pass to it - which obviously is not what the antivirus is meant to do.

You might be better off with a link-scanning service like VTZilla or Dr Web.

Re: External filters not working

Posted: Mon Dec 31, 2012 2:01 pm
by access2godzilla
Thrawn wrote:Someone can correct me if I'm wrong, but I don't believe that the 'External Filters' feature is intended for virus scans.
External filters aren't meant for virus scans, but antiviruses will detect malicious plugin content (Adobe Libtiff PDFs, Malicious JARs and SWF exploits), and this is what I am trying to leverage.
Blitzableiter is actually meant to interpret Flash files and recreate them in a canonical form, guaranteed not to cause buffer overruns and other such nasties.
I thought of using Blitzabeiter, but there are various problems with it:
  • Blitzabeiter is based on .NET, which I prefer not to have installed on my computer, due to its bugs, security loopholes and unexpected behaviour on some systems. (I used a heavily stripped down version of Windows, and installing .NET on it makes Windows to show unexpected behaviours like missing columns in task manager.)
  • Very old, last developed in 2011. For other software, this might be normal; for security software, it implies that it might have been abondoned as well.
So, NoScript would be expecting your virus scanner to pass back a sanitised version of the Flash files that you pass to it - which obviously is not what the antivirus is meant to do.
The antivirus simply scans the file (in this case, the plugin content) and reports whether it is infected or clean, along with a return code, and that's all the antivirus does.

The actual work is done by the script (see the original post), which is a wrapper over the antivirus which accepts the parameters [INPUT_FILE] (location of the plugin content) and [OUTPUT_FILE] (location of the sanitized plugin content), feeding [INPUT_FILE] to the antivirus to check if it's infected or not, and if it is not infected, copies the file to [OUTPUT_FILE].

If it's infected, a benign file is not copied that warns about the malicious plugin content (as does Blitzableiter), but a dialog is shown to the user warning that the content is malicious and that it will not be loaded.

I strongly believe that this is a bug. The whole code of external filters is buggy (right from enabling it to making it show the non-malicious content).

@Thrawn, it seems that you are using Linux, so could you test this and confirm?

[edited to correct some typos]

Re: External filters not working

Posted: Tue Jan 01, 2013 10:48 am
by access2godzilla
Since I did not get any useful replies, I tried to use NS with Blitzableiter on Firefox 16.0.2, Windows XP. The same results there: the NS placeholder is clicked, the content takes millions of years to load. It looks like a bug in NS itself.

However, from the error console (on both installations, Windows and Linux):

Code: Select all

Timestamp: 01/01/2013 xx:xx:xx            [time masked out intentionally]
Error: ce.setSecurityInfo is not a function
Source File: chrome://noscript/content/ExternalFilters.js
Line: 611
However, after modifying the script like this:

Code: Select all

# ...
	exit 3
fi

zenity --info --text "Invoked with arguments:\n\n\$1=$1\n\$2=$2" # Modification

report=`"$filterpath" -n "$1" &> /dev/stdout`
# ...
I noticed the following:
Image
This means flash player is started without being even supplied the file. Or so I think.

This is quite a critical bug in a beautifully working piece of software. Can Giorgio look into this?

Re: External filters not working

Posted: Tue Jan 01, 2013 11:24 am
by Giorgio Maone
The external filters feature has been practically abandoned months ago, since Blitzableiter was the only client officially supported.
Anyway, since it was designed to be general, I'm gonna look into the bug. Just, it's not a top priority, for the reason stated above.

Re: External filters not working

Posted: Wed Jan 09, 2013 5:27 pm
by access2godzilla
Bug fixed in 2.6.4.3-rc1. Thanks, for the quick bugfix, Giorgio.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited