SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Clam AntiVirus Vendors:   clamav.sourceforge.net
Clam AntiVirus UUDecode Flaw Lets Remote Users Crash 'clamd'
SecurityTracker Alert ID:  1009004
SecurityTracker URL:  http://securitytracker.com/id/1009004
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 10 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.65 and prior versions
Description:   A vulnerability was reported in Clam AntiVirus. A remote user can cause 'clamd' to crash.

It is reported that a remote user can send an e-mail message containing a uuencoded line with an illegal line length value (such as a alphabetic character) via an e-mail system that uses 'clamd' to trigger a uudecoding vulnerability. According to the report, libclamav will calculate the length based on the ASCII value of the first character minus 64. If the resulting value is not within the proper range, the software will issue an assert() call to terminate the calling program, the report said.

To demonstration, the report indicates that you can save the following text to the '~/clamtest.mbox' file (being sure to remove the leading 'X' character):

XFrom -
X
Xbegin 644 byebye
Xbyebye
Xend

Then, you can run the following command to trigger the flaw:

# clamscan --mbox -v ~/clamtest.mbox

Impact:   A remote user can cause 'clamd' and applications that rely upon the daemon to crash.
Solution:   The vendor has issued a fix, available via CVS:

http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/libclamav/message.c

[Editor's note: The unofficial patch provided in the Source Message is different than what is available via CVS.]

Vendor URL:  www.clamav.net/ (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 18 2004 (Gentoo Issues Fix) Clam AntiVirus UUDecode Flaw Lets Remote Users Crash 'clamd'
Gentoo has released a fix.



 Source Message Contents

Subject:  clamav 0.65 remote DOS exploit


>Description:

It is trivial to crash clamd using a malformed uuencoded message, resulting in a
denial of service for all programs (e.g. SMTP daemons) relying on clamd running.
The message must only contain one uuencoded line with an illegal line lenght, i.e.
starting with a small letter.

libclamav calculates the line lenght of an uuencoded line by taking the ASCII value
of the first character minus 64 and does an `assert' if the length is not in the
allowed range, effectively terminating the calling program.

>How-To-Repeat:

Save the following file to ~/clamtest.mbox, removing the leading 'X':

XFrom -
X
Xbegin 644 byebye
Xbyebye
Xend

Then do:

# clamscan --mbox -v ~/clamtest.mbox
assertion "(len >= 0) && (len <= 63)" failed: file "message.c", line 887
Abort (core dumped)

or

# clamdscan -v ~/clamtest.mbox; ps ax | grep clam

>Fix:

Apply the following patch to libclamav/message.c:

--- libclamav/message.c.orig	Wed Nov  5 11:59:53 2003
+++ libclamav/message.c	Mon Feb  9 15:17:13 2004
@@ -878,13 +878,16 @@
 			if(strcasecmp(line, "end") == 0)
 				break;
 
-			assert(strlen(line) <= 62);
+			if(strlen(line) > 62)
+				break;
+
 			if((line[0] & 0x3F) == ' ')
 				break;
 
 			len = *line++ - ' ';
 
-			assert((len >= 0) && (len <= 63));
+			if(len < 0 || len > 63)
+				break;
 
 			ptr = decode(line, ptr, uudecode, (len & 3) == 0);
 			break;

>References:

FreeBSD PR 62586:
  <http://www.freebsd.org/cgi/query-pr.cgi?pr=62586>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC