Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20832
HistoryNov 10, 2008 - 12:00 a.m.

ClamAV get_unicode_name() off-by-one buffer overflow

2008-11-1000:00:00
vulners.com
4
JSON

ClamAV get_unicode_name() off-by-one buffer overflow

Copyright (c) 2008 Moritz Jodeit <[email protected]> (2008/11/08)

Application details:

    From http://www.clamav.net/:

    &quot;Clam AntiVirus is an open source &#40;GPL&#41; anti-virus toolkit for UNIX,
    designed especially for e-mail scanning on mail gateways. It provides
    a number of utilities including a flexible and scalable multi-threaded
    daemon, a command line scanner and advanced tool for automatic
    database updates. The core of the package is an anti-virus engine
    available in a form of shared library.&quot;

Vulnerability description:

    ClamAV contains an off-by-one heap overflow vulnerability in the
    code responsible for parsing VBA project files. Successful
    exploitation could allow an attacker to execute arbitrary code with
    the privileges of the &#96;clamd&#39; process by sending an email with a
    prepared attachment.

    The vulnerability occurs inside the get_unicode_name&#40;&#41; function
    in libclamav/vba_extract.c when a specific &#96;name&#39; buffer is passed
    to it.

    101 static char *
    102 get_unicode_name&#40;const char *name, int size, int big_endian&#41;
    103 {
    104         int i, increment;
    105         char *newname, *ret;
    106
    107         if&#40;&#40;name == NULL&#41; || &#40;*name == &#39;&#92;0&#39;&#41; || &#40;size &lt;= 0&#41;&#41;
    108                 return NULL;
    109
    110         newname = &#40;char *&#41;cli_malloc&#40;size * 7&#41;;

    First the &#96;size&#39; of the &#96;name&#39; buffer multiplied by 7 is used to
    allocate the destination buffer &#96;newname&#39;. When the &#96;name&#39; buffer
    only consists of characters matching some specific criteria [1]
    and &#96;big_endian&#39; is set, the following loop can write exactly 7
    characters into the allocated destination buffer &#96;newname&#39; per
    character found in source buffer &#96;name&#39;.

    This effectively fills up the destination buffer completely. After
    the loop in line 143, the terminating NUL byte is written and
    overflows the allocated buffer on the heap.

    143         *ret = &#39;&#92;0&#39;;
    144
    145         /* Saves a lot of memory */
    146         ret = cli_realloc&#40;newname, &#40;ret - newname&#41; + 1&#41;;
    147         return ret ? ret : newname;
    148 }

    [1] Every character matching the following condition results in
        7 characters written to the destination buffer:

            &#40;c &amp; 0x80 || !isprint&#40;c&#41;&#41; &amp;&amp; &#40;c &gt;= 10 || c &lt; 0&#41;

    A VBA project file embedded inside an OLE2 office document send
    as an attachment can trigger the off-by-one.

Vendor response:

    2008/10/16 Initial report to vendor
    2008/10/16 Vulnerability acknowledged by [email protected]
    2008/11/03 Release of version 0.94.1

Vulnerable packages:

    All versions up to 0.94 are vulnerable.
    Version 0.94.1 fixes the problem.
JSON