The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Clam AntiVirus Multiple DoS (MS-Expand File Handling, Cabinet File
Handling)
------------------------------------------------------------------------
SUMMARY
<http://www.clamav.net/> Clam AntiVirus is a GPL anti-virus toolkit for
UNIX.
Lack of proper validation by the Clam AntiVirus allows attackers to cause
Clam AntiVirus to enter to infinite loop or exhaust file descriptors pool
and memory.
DETAILS
Vulnerable Systems:
* ClamAV version 0.85 and prior
Immune Systems:
* ClamAV version 0.86
MS-Expand File Handling:
The vulnerability specifically exists due to improper behavior during
exceptional conditions.
Code Snips:
libclamav/scanners.c:
static int cli_scanszdd(...)
{
[...]
FILE *tmp = NULL, *in;
cli_dbgmsg("in cli_scanmscomp()\n");
if((in = fdopen(dup(desc), "rb")) == NULL) {
cli_dbgmsg("SZDD: Can't open descriptor %d\n", desc);
return CL_EMSCOMP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("SZDD: Can't generate temporary file.\n");
fclose(in);
return CL_ETMPFILE;
}
if(cli_msexpand(in, tmp) == -1) {
cli_dbgmsg("SZDD: msexpand failed.\n");
return CL_EMSCOMP;
}
[...]
}
Each time the cli_msexpand() function fails , two file descriptors ('in'
and 'tmp') are leaked. As they are both opened using fopen(), there is
also a memory leak (2 * 364 bytes). This allows an attacker to exhaust all
of the available file descriptors fairly quickly with around 1,000
malformed files.
Successful exploitation allows attackers to exhaust file descriptors pool
and memory. Anti-virus detection functionality will fail if there is no
file descriptors available with which to open files. Remote exploitation
can be achieved by sending a malicious file in an e-mail message or during
an HTTP session.
Cabinet File Handling:
The vulnerability specifically exists due to insufficient validation on
cabinet file header data. The ENSURE_BITS() macro fails to check for zero
length reads, allowing a carefully constructed cabinet file to cause an
infinite loop. The ENSURE_BITS() macro is executed indirectly through the
READ_BITS macro and is called from the mszipd_compress function.
Code Snips:
libclamav/mspack/mszipd.c
#define ENSURE_BITS(nbits) do { \
while (bits_left < (nbits)) { \
if (i_ptr >= i_end) { \
if (zipd_read_input(zip)) return zip->error; \
i_ptr = zip->i_ptr; \
i_end = zip->i_end; \
} \
bit_buffer |= *i_ptr++ << bits_left; bits_left += 8; \
} \
} while (0)
#define READ_BITS(val, nbits) do { \
ENSURE_BITS(nbits); (val) = PEEK_BITS(nbits); REMOVE_BITS(nbits); \
} while (0)
static int zipd_read_input(struct mszipd_stream *zip) {
int read = zip->sys->read(zip->input, &zip->inbuf[0],
(int)zip->inbuf_size);
if (read < 0) return zip->error = MSPACK_ERR_READ;
zip->i_ptr = &zip->inbuf[0];
zip->i_end = &zip->inbuf[read];
return MSPACK_ERR_OK;
}
int mszipd_decompress(...)
{
[...]
do {
READ_BITS(i, 8);
if (i == 'C') state = 1;
else if ((state == 1) && (i == 'K')) state = 2;
else state = 0;
} while (state != 2);
[...]
}
Modification of the cffile_FolderOffset to 0xff in a CAB file can cause a
read of zero, resulting in the infinite loop.
ClamAV is used in a number of mail gateway products. Successful
exploitation requires an attacker to send a specially constructed CAB file
through a mail gateway or personal anti-virus client utilizing the ClamAV
scanning engine. The infinite loop will cause the ClamAV software to use
all available processor resources, resulting in a denial of service or
severe degradation to system performance. Remote exploitation can be
achieved by sending a malicious file in an e-mail message or during an
HTTP session.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1922>
CAN-2005-1922
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1923>
CAN-2005-1923
Disclosure Timeline:
06/07/2005 - Initial vendor notification
06/08/2005 - Initial vendor response
06/29/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com>
iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=275&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=275&type=vulnerabilities,
<http://www.idefense.com/application/poi/display?id=276&type=vulnerabilities>
http://www.idefense.com/application/poi/display?id=276&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
