[NEWS] ClamAV get_unicode_name() Off-By-One Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 11 Nov 2008 08:51:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ClamAV get_unicode_name() Off-By-One Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.clamav.net/> Clam AntiVirus is an open source (GPL)
anti-virus toolkit for UNIX, designed especially for e-mail scanning on
mail gateways. It provides a number of utilities including a flexible and
scalable multi-threaded daemon, a command line scanner and advanced tool
for automatic database updates. The core of the package is an anti-virus
engine available in a form of shared library."
ClamAV contains an off-by-one heap overflow vulnerability in the code
responsible for parsing VBA project files. Successful exploitation could
allow an attacker to execute arbitrary code with the privileges of the
`clamd' process by sending an email with a prepared attachment.
DETAILS
Vulnerable Systems:
* ClamAV version 0.94
Immune Systems:
* ClamAV version 0.94.1
The vulnerability occurs inside the get_unicode_name() function in
libclamav/vba_extract.c when a specific `name' buffer is passed to it.
101 static char *
102 get_unicode_name(const char *name, int size, int big_endian)
103 {
104 int i, increment;
105 char *newname, *ret;
106
107 if((name == NULL) || (*name == '\0') || (size <= 0))
108 return NULL;
109
110 newname = (char *)cli_malloc(size * 7);
First the `size' of the `name' buffer multiplied by 7 is used to allocate
the destination buffer `newname'. When the `name' buffer only consists of
characters matching some specific criteria [1] and `big_endian' is set,
the following loop can write exactly 7 characters into the allocated
destination buffer `newname' per character found in source buffer `name'.
This effectively fills up the destination buffer completely. After the
loop in line 143, the terminating NUL byte is written and overflows the
allocated buffer on the heap.
143 *ret = '\0';
144
145 /* Saves a lot of memory */
146 ret = cli_realloc(newname, (ret - newname) + 1);
147 return ret ? ret : newname;
148 }
[1] Every character matching the following condition results in 7
characters written to the destination buffer:
(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)
A VBA project file embedded inside an OLE2 office document send as an
attachment can trigger the off-by-one.
Vendor response:
2008/10/16 - Initial report to vendor
2008/10/16 - Vulnerability acknowledged by acab@xxxxxxxxxx
2008/11/03 - Release of version 0.94.1
ADDITIONAL INFORMATION
The information has been provided by <mailto:moritz@xxxxxxxxxx> Moritz
Jodeit.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability
- Next by Date: [NEWS] Openfire Jabber-Server Multiple Vulnerabilities
- Previous by thread: [NT] Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability
- Next by thread: [NEWS] Openfire Jabber-Server Multiple Vulnerabilities
- Index(es):
Relevant Pages
|
