ClamAV get_unicode_name() off-by-one buffer overflow

Advisory Content :

-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow

Copyright (c) 2008 Moritz Jodeit <moritz (at) jodeit (dot) org [email
concealed]> (2008/11/08)
-----------------------------------------------------------------

Application details:

From http://www.clamav.net/:

"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic
database updates. The core of the package is an anti-virus engine
available in a form of shared library."

Vulnerability description:

ClamAV contains an off-by-one heap overflow vulnerability in the
code responsible for parsing VBA project files. Successful
exploitation could allow an attacker to execute arbitrary code with
the privileges of the `clamd' process by sending an email with a
prepared attachment.

The vulnerability occurs inside the get_unicode_name() function
in libclamav/vba_extract.c when a specific `name' buffer is passed
to it.

101 static char *
102 get_unicode_name(const char *name, int size, int big_endian)
103 {
104 int i, increment;
105 char *newname, *ret;
106
107 if((name == NULL) || (*name == '\0') || (size <= 0))
108 return NULL;
109
110 newname = (char *)cli_malloc(size * 7);

First the `size' of the `name' buffer multiplied by 7 is used to
allocate the destination buffer `newname'. When the `name' buffer
only consists of characters matching some specific criteria [1]
and `big_endian' is set, the following loop can write exactly 7
characters into the allocated destination buffer `newname' per
character found in source buffer `name'.

This effectively fills up the destination buffer completely. After
the loop in line 143, the terminating NUL byte is written and
overflows the allocated buffer on the heap.

143 *ret = '\0';
144
145 /* Saves a lot of memory */
146 ret = cli_realloc(newname, (ret - newname) + 1);
147 return ret ? ret : newname;
148 }

[1] Every character matching the following condition results in
7 characters written to the destination buffer:

(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)

A VBA project file embedded inside an OLE2 office document send
as an attachment can trigger the off-by-one.

Vendor response:

2008/10/16 Initial report to vendor
2008/10/16 Vulnerability acknowledged by acab (at) clamav (dot) net [email
concealed]
2008/11/03 Release of version 0.94.1

Vulnerable packages:

All versions up to 0.94 are vulnerable.
Version 0.94.1 fixes the problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAkkVfqIACgkQVmsppI8oVCPjPACdGEznyRtPWDjj72oZJMVDT+Lz
u4oAn1FLUN6hCx6nxH3D8aZJpVkFlUvB
=ZGyW
-----END PGP SIGNATURE-----

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

ClamAV get_unicode_name() off-by-one buffer overflow