SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  Clam AntiVirus Vendors:  clamav.sourceforge.net
Clam AntiVirus Integer Overflow in Processing UPX File PE Headers Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015887
SecurityTracker URL:  http://securitytracker.com/id?1015887
CVE Reference:  CVE-2006-1614   (Links to External Site)
Date:  Apr 10 2006
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 0.88.1
Description:  A vulnerability was reported in Clam AntiVirus. A remote user can execute arbitrary code on the target system.

A remote user can create a specially crafted UPX-compressed file that, when processed by the target system, will trigger an integer overflow in cli_scanpe() and execute arbitrary code on the target system. The code will run with the privileges of the target anti-virus service.

Damian Put of overflow.pl reported this vulnerability.

A demonstration exploit file is available at:

http://overflow.pl/poc/crafted_upx.exe

The original advisory is available at:

http://www.overflow.pl/adv/clamavupxinteger.txt
Impact:  A remote user can execute arbitrary code on the target system.
Solution:  The vendor has issued a fixed version (0.88.1), available at:

http://www.clamav.net/stable.php#pagestart
Vendor URL:  www.clamav.net/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  Damian Put <pucik@overflow.pl>
Message History:   None.

 Source Message Contents
Date:  Thu, 06 Apr 2006 18:10:48 +0200
From:  Damian Put <pucik@overflow.pl>
Subject:  [Overflow.pl] Clam AntiVirus Win32-UPX Heap Overflow (not default


 
Overflow.pl Security Advisory #5

Clam AntiVirus Win32-UPX Heap Overflow (not default configuration)

Vendor: Clam AntiVirus
Affected version: Prior to 0.88.1
Vendor status: Fixed version released (0.88.1)

Author: Damian Put <pucik@overflow.pl>
URL: http://www.overflow.pl/adv/clamavupxinteger.txt
Date: 5.04.2006

1. Background

"Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The package
provides a flexible and scalable multi-threaded daemon, a command line scanner,
and a tool for automatic updating via Internet. The programs are based on a
shared library distributed with the Clam AntiVirus package, which you can use
with your own software. Most importantly, the virus database is kept up to date"

http://www.clamav.net


2. Description

Remote exploitation of an integer overflow vulnerability could allow execution
of arbitrary code or cause denial of service.

An integer overflow leading to heap overflow, exists in cli_scanpe() function,
that is used to read Win32 files.

The vulnerable code is:

libclamav/pe.c:

....
          if((dest = (char *) cli_calloc(dsize + 1024 + nsections * 40,
sizeof(char))) == NULL) {
            free(section_hdr);
            free(src);
            return CL_EMEM;
          }
...

Before cli_calloc call, we should check that "dsize + 1024 + nsections * 40" not
overflow integer variable. We can control value of "dsize" and "nsections"
variables, so exploitation of this vulnerability is possible, with special
crafted file. Unfortunately, "dsize" cannot be larger than ArchiveMaxFileSize,
so this bug doesn`t apply to default configuration of ClamAv


Next, "dest" is used in upx_inflate() function, if section is compressed with
UPX:

libclamav/upx.c:

...
int upx_inflate2d(char *src, uint32_t ssize, char *dst, uint32_t *dsize,
uint32_t upx0, uint32_t upx1, uint32_t ep)
 
  int32_t backbytes, unp_offset = -1, myebx = 0;
  int scur=0, dcur=0, i, backsize, oob;

  while (1) {
    while ( (oob = doubleebx(src, &myebx, &scur, ssize)) == 1) {
      if (scur<0 || scur>=ssize || dcur<0 || dcur>=*dsize)
      return -1;
      dst[dcur++] = src[scur++];
    }
...
    backsize++;
    for (i = 0; i < backsize; i++) {
      if (dcur+i<0 || dcur+i>=*dsize || dcur+unp_offset+i<0 ||
dcur+unp_offset+i>=*dsize)
      return -1;
      dst[dcur + i] = dst[dcur + unp_offset + i];
    }
    dcur+=backsize;
  }
....
If we don't allocate enough memory to "dst", these loops will overflow a heap.


3. PoC

The example of crafted upx file: http://overflow.pl/poc/crafted_upx.exe

[pucik@overflow clam]$ clamscan --debug --max-space=0 crafted_upx.exe
....
LibClamAV debug: EntryPoint offset: 0x2bee0 (179936)
LibClamAV debug: UPX/FSG: empty section found - assuming compression
LibClamAV debug: UPX: Section 0 name: UPX0
LibClamAV debug: UPX: Section 1 name: UPX1
//This is my debug LibClamAV debug: UPX: dsize = -1024, nsections = 3, dsize +
1024 + nsections * 40 = 120
LibClamAV debug: UPX: Looks like a NRV2D decompression routine
Segmentation fault (core dumped)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2006, SecurityGlobal.net LLC