SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Clam AntiVirus Vendors:   clamav.sourceforge.net
Clam AntiVirus Buffer Overflow in get_unicode_name() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1021159
SecurityTracker URL:  http://securitytracker.com/id/1021159
CVE Reference:   CVE-2008-5050   (Links to External Site)
Updated:  Oct 31 2012
Original Entry Date:  Nov 10 2008
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.94 and prior versions
Description:   A vulnerability was reported in Clam AntiVirus. A remote user can execute arbitrary code on the target system.

A remote user can send a specially crafted VBA project file attachment to trigger a heap overflow in the get_unicode_name() function and execute arbitrary code on the target system. The code will run with the privileges of the target clamd service.
The vulnerability resides in 'libclamav/vba_extract.c'.

The vendor was notified on October 16, 2008.

Moritz Jodeit reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (0.94.1).

No vendor advisory was available at the time of this entry.

Vendor URL:  www.clamav.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  ClamAV get_unicode_name() off-by-one buffer overflow


--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow

Copyright (c) 2008 Moritz Jodeit <moritz@jodeit.org> (2008/11/08)
-----------------------------------------------------------------

Application details:

	From http://www.clamav.net/:

	"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
	designed especially for e-mail scanning on mail gateways. It provides
	a number of utilities including a flexible and scalable multi-threaded
	daemon, a command line scanner and advanced tool for automatic
	database updates. The core of the package is an anti-virus engine
	available in a form of shared library."

Vulnerability description:

	ClamAV contains an off-by-one heap overflow vulnerability in the
	code responsible for parsing VBA project files. Successful
	exploitation could allow an attacker to execute arbitrary code with
	the privileges of the `clamd' process by sending an email with a
	prepared attachment.

	The vulnerability occurs inside the get_unicode_name() function
	in libclamav/vba_extract.c when a specific `name' buffer is passed
	to it.

	101 static char *
	102 get_unicode_name(const char *name, int size, int big_endian)
	103 {
	104         int i, increment;
	105         char *newname, *ret;
	106
	107         if((name == NULL) || (*name == '\0') || (size <= 0))
	108                 return NULL;
	109
	110         newname = (char *)cli_malloc(size * 7);

	First the `size' of the `name' buffer multiplied by 7 is used to
	allocate the destination buffer `newname'. When the `name' buffer
	only consists of characters matching some specific criteria [1]
	and `big_endian' is set, the following loop can write exactly 7
	characters into the allocated destination buffer `newname' per
	character found in source buffer `name'.

	This effectively fills up the destination buffer completely. After
	the loop in line 143, the terminating NUL byte is written and
	overflows the allocated buffer on the heap.

	143         *ret = '\0';
	144
	145         /* Saves a lot of memory */
	146         ret = cli_realloc(newname, (ret - newname) + 1);
	147         return ret ? ret : newname;
	148 }

	[1] Every character matching the following condition results in
	    7 characters written to the destination buffer:

		(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)

	A VBA project file embedded inside an OLE2 office document send
	as an attachment can trigger the off-by-one.

Vendor response:

	2008/10/16 Initial report to vendor
	2008/10/16 Vulnerability acknowledged by acab@clamav.net
	2008/11/03 Release of version 0.94.1

Vulnerable packages:

	All versions up to 0.94 are vulnerable.
	Version 0.94.1 fixes the problem.

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAkkVfqIACgkQVmsppI8oVCPjPACdGEznyRtPWDjj72oZJMVDT+Lz
u4oAn1FLUN6hCx6nxH3D8aZJpVkFlUvB
=ZGyW
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC