[NEWS] ClamAV Library Multiple Heap Overflows (TNEF, CHM, FSG)
From: SecuriTeam (support_at_securiteam.com)
Date: 08/08/05
- Previous message: SecuriTeam: "[EXPL] Quick'n Easy FTP Server DoS (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Aug 2005 13:20:31 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ClamAV Library Multiple Heap Overflows (TNEF, CHM, FSG)
------------------------------------------------------------------------
SUMMARY
<http://www.clamav.net/> ClamAV is "the most widely used GPL antivirus
library today. It provides file format support for virus analysis". During
the processing of TNEF, CHM, & FSG formats an attacker is able to trigger
several integer overflows that allow attackers to overwrite heap data to
obtain complete control of the system.
DETAILS
Vulnerable Systems:
* ClamAV Version 0.86.1 (current) and prior
* There are numerous implementations of ClamAV listed on their site which
are likely vulnerable. One party to note is Apple. Apple includes ClamAV
by default in Mac OS X Server. In addition, ClamAV has been ported to
windows and a variety of other platforms by third parties who's
implementations are also likely vulnerable. Refer to vendor for specifics.
Immune Systems:
* ClamAV version 0.86.2 fixes some of the issues, specifically, the two
integer overflows in TNEF.
Vulnerable Code:
TNEF processing contains at least two integer overflows that result in a
heap overflows. The following code from tnef_attachment() and
tnef_message() in tnef.c is vulnerable. The length field is an arbitrary
32-bit integer. If length is -1, it will wrap and malloc() will return a
small heap buffer which is overflowed on the following fread().
string = cli_malloc(length + 1);
if(fread(string, 1, length, fp) != length) {
free(string);
return -1;
}
CHM processing contains an integer overflow that results in heap
corruption. The following is vulnerable code from read_chunk_entries() in
chmunpack.c. If length is -1, it will wrap and malloc() will return small
heap buffer which is overflowed on the following strncpy().
name_len = read_enc_int(¤t, end);
file_e->name = (unsigned char *) cli_malloc(name_len+1);
if (!file_e->name) {
free(file_e);
return FALSE;
}
strncpy(file_e->name, current, name_len);
FSG processing contains a faulty boundary check that results in a buffer
overflow. The following is vulnerable code from unfsg() in fsg.c.
Specifically, backbytes and backsize are essentially encoded arbitrary
32-bit unsigned integers; and, if both are slightly negative values an
attacker can trigger a heap overflow because of the integer wraps in the
boundary check.
if (cdst-backbytes < dest || cdst+backsize >= dest+dsize)
return -1;
while(backsize--) {
*cdst=*(cdst-backbytes);
cdst++;
}
ADDITIONAL INFORMATION
The original article can be found at:
<http://www.rem0te.com/public/images/clamav.pdf>
http://www.rem0te.com/public/images/clamav.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Quick'n Easy FTP Server DoS (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [EXPL] Smail preparse_address_1() Heap Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... There is a heap buffer overflow,
... ssize_t Send(int s, const void *buf, size_t len, int flags) ... (Securiteam) - [EXPL] Internet Explorer DHTML Arbitrary Code Execution (MS05-020)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... MOV EAX, DWORD PTR; EAX
= Some pointer to the heap for mshtml ... To get some control over the "dirty" value we try to
"spray" the heap ... so we use as big a string as possible. ... (Securiteam) - [EXPL] Mozilla Browsers Remote Heap Buffer Overrun (Exploit , 0xAD HOST)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A heap buffer overrun vulnerability
exists in Mozilla browsers, ... of the string to create more large heap blocks. ...
var startDate = new Date; ... (Securiteam) - [UNIX] XV Multiple Buffer Overflows
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... RGB, BMP, PCX, FITS, and
PM formats on all known types of X displays. ... The overflows allow a malicious attacker
to construct an image that will ... fairly large codebase that might contain other buffer overflows.
... (Securiteam) - [NEWS] Novell ZENWorks Multiple Remote Overflows
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... This authentication protocol
contains several stack and heap ... overflows that can be triggered by an unauthenticated
remote attacker to ... Exploiting those vulnerabilities may lead to executing ...
(Securiteam)
