[NEWS] ClamAV libclamav PE File Integer Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

ClamAV libclamav PE File Integer Overflow Vulnerability


<http://www.clamav.net/> Clam AntiVirus is "a multi-platform GPL
anti-virus toolkit. ClamAV is often integrated into e-mail gateways and
used to scan e-mail traffic for viruses. It supports virus scanning for a
wide variety of packed Portable Executable (PE) binaries". Remote
exploitation of an integer overflow vulnerability in Clam AntiVirus'
ClamAV, as included in various vendors' operating system distributions,
allows attackers to execute arbitrary code with the privileges of the
affected process.


Vulnerable Systems:
* ClamAV version 0.92

Immune Systems:
* ClamAV version 0.92.1

The vulnerability exists within the code responsible for parsing and
scanning PE files. While iterating through all sections contained in the
PE file, several attacker controlled values are extracted from the file.
On each iteration, arithmetic operations are performed without taking into
consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can
cause a heap overflow by causing a specially crafted Petite packed PE
binary to be scanned. This results in an exploitable memory corruption

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the process using libclamav. In the case of
the clamd program, this will result in code execution with the privileges
of the clamav user. Unsuccessful exploitation results in the clamd process

Address Space Layout Randomization (ASLR) and non-executable memory
protection technologies (such as DEP, NX, XD, PaX, etc) can help mitigate
exploitation of this type of vulnerability.

Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the '--no-pe'

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to

Vendor response:
The ClamAV team has addressed this vulnerability within version 0.92.1.
Additionally, the ClamAV team reports, "the vulnerable module was remotely
disabled via virus-db update on Jan 11th 2008."

CVE Information:

Disclosure timeline:
01/07/2008 - Initial vendor notification
01/11/2008 - Initial vendor response
02/12/2008 - Coordinated public disclosure


The information has been provided by iDefense Labs.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages