|
|
|
|
| |
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library."
ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment. |
| |
Credit:
The information has been provided by Moritz Jodeit.
|
| |
Vulnerable Systems:
* ClamAV version 0.94
Immune Systems:
* ClamAV version 0.94.1
The vulnerability occurs inside the get_unicode_name() function in libclamav/vba_extract.c when a specific `name' buffer is passed to it.
101 static char *
102 get_unicode_name(const char *name, int size, int big_endian)
103 {
104 int i, increment;
105 char *newname, *ret;
106
107 if((name == NULL) || (*name == '\0') || (size <= 0))
108 return NULL;
109
110 newname = (char *)cli_malloc(size * 7);
First the `size' of the `name' buffer multiplied by 7 is used to allocate the destination buffer `newname'. When the `name' buffer only consists of characters matching some specific criteria [1] and `big_endian' is set, the following loop can write exactly 7 characters into the allocated destination buffer `newname' per character found in source buffer `name'.
This effectively fills up the destination buffer completely. After the loop in line 143, the terminating NUL byte is written and overflows the allocated buffer on the heap.
143 *ret = '\0';
144
145 /* Saves a lot of memory */
146 ret = cli_realloc(newname, (ret - newname) + 1);
147 return ret ? ret : newname;
148 }
[1] Every character matching the following condition results in 7 characters written to the destination buffer:
(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)
A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.
Vendor response:
2008/10/16 - Initial report to vendor
2008/10/16 - Vulnerability acknowledged by acab@clamav.net
2008/11/03 - Release of version 0.94.1
|
|
|
|
|
