Clam AntiVirus Buffer Overflow in get_unicode_name() Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1021159|
SecurityTracker URL: http://securitytracker.com/id/1021159
(Links to External Site)
Updated: Oct 31 2012|
Original Entry Date: Nov 10 2008
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 0.94 and prior versions|
A vulnerability was reported in Clam AntiVirus. A remote user can execute arbitrary code on the target system.|
A remote user can send a specially crafted VBA project file attachment to trigger a heap overflow in the get_unicode_name() function and execute arbitrary code on the target system. The code will run with the privileges of the target clamd service.
The vulnerability resides in 'libclamav/vba_extract.c'.
The vendor was notified on October 16, 2008.
Moritz Jodeit reported this vulnerability.
A remote user can execute arbitrary code on the target system.|
The vendor has issued a fixed version (0.94.1).|
No vendor advisory was available at the time of this entry.
Vendor URL: www.clamav.net/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any)|
Source Message Contents
Subject: ClamAV get_unicode_name() off-by-one buffer overflow|
Content-Type: text/plain; charset=us-ascii
ClamAV get_unicode_name() off-by-one buffer overflow
Copyright (c) 2008 Moritz Jodeit <email@example.com> (2008/11/08)
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic
database updates. The core of the package is an anti-virus engine
available in a form of shared library."
ClamAV contains an off-by-one heap overflow vulnerability in the
code responsible for parsing VBA project files. Successful
exploitation could allow an attacker to execute arbitrary code with
the privileges of the `clamd' process by sending an email with a
The vulnerability occurs inside the get_unicode_name() function
in libclamav/vba_extract.c when a specific `name' buffer is passed
101 static char *
102 get_unicode_name(const char *name, int size, int big_endian)
104 int i, increment;
105 char *newname, *ret;
107 if((name == NULL) || (*name == '\0') || (size <= 0))
108 return NULL;
110 newname = (char *)cli_malloc(size * 7);
First the `size' of the `name' buffer multiplied by 7 is used to
allocate the destination buffer `newname'. When the `name' buffer
only consists of characters matching some specific criteria 
and `big_endian' is set, the following loop can write exactly 7
characters into the allocated destination buffer `newname' per
character found in source buffer `name'.
This effectively fills up the destination buffer completely. After
the loop in line 143, the terminating NUL byte is written and
overflows the allocated buffer on the heap.
143 *ret = '\0';
145 /* Saves a lot of memory */
146 ret = cli_realloc(newname, (ret - newname) + 1);
147 return ret ? ret : newname;
 Every character matching the following condition results in
7 characters written to the destination buffer:
(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)
A VBA project file embedded inside an OLE2 office document send
as an attachment can trigger the off-by-one.
2008/10/16 Initial report to vendor
2008/10/16 Vulnerability acknowledged by firstname.lastname@example.org
2008/11/03 Release of version 0.94.1
All versions up to 0.94 are vulnerable.
Version 0.94.1 fixes the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
-----END PGP SIGNATURE-----