The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Clam AntiVirus Heap Overflow (Win32-UPX)
------------------------------------------------------------------------
SUMMARY
" <http://www.clamav.net> Clam AntiVirus is a GPL anti-virus toolkit for
UNIX. The main purpose of this software is the integration with mail
servers (attachment scanning)."
Remote exploitation of a heap overflow vulnerability allows execution of
arbitrary code.
DETAILS
Vulnerable Systems:
* Clam AntiVirus versions prior to 0.88.4
Immune Systems:
* Clam AntiVirus version 0.88.4
Vulnerability exists in pefromupx() function, that is used to buil Win32
PE file from UPX packed file.
Vulnerable code:
libclamav/upx.c:
------------
int pefromupx (char *src, char *dst, uint32_t *dsize, uint32_t ep,
uint32_t
upx0, uint32_t upx1, uint32_t magic)
{
char *imports, *sections, *pehdr, *newbuf;
int sectcnt, upd=1;
uint32_t realstuffsz;
uint32_t foffset=0xd0+0xf8;
imports = dst + cli_readint32(src + ep - upx1 + magic);
realstuffsz = imports-dst;
if (realstuffsz >= *dsize ) {
cli_dbgmsg("UPX: wrong realstuff size - giving up rebuild\n");
return 0;
}
...
OK first we check that realstuffsz is not larger than dsize.
...
foffset+=0x28*sectcnt;
if (!CLI_ISCONTAINED(dst, *dsize, sections, 0x28*sectcnt)) {
cli_dbgmsg("UPX: Not enough space for all sects - giving up
rebuild\n");
return 0;
}
...
Now we check that we have enough space for section headers.
...
for (upd = 0; upd <sectcnt ; upd++) {
uint32_t vsize=cli_readint32(sections+8)-1;
uint32_t rsize=cli_readint32(sections+16);
uint32_t urva=cli_readint32(sections+12);
....
cli_writeint32(sections+8, vsize);
cli_writeint32(sections+20, foffset);
foffset+=rsize;
sections+=0x28;
}
...
Now, we add to foffset rsize value of all sections and we DON`T check that
we have enough space in *dst.
...
/* CBA restoring the imports they'll look different from the originals
anyway... */
/* ...and yeap i miss the icon too :P */
memcpy(dst, newbuf, foffset);
*dsize = foffset;
free(newbuf);
cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
return 1;
}
...
And there is our heap overflow. We copy from newbuf to dst pointer foffset
bytes, but we don`t check that foffset > *dsize.
Proof of concept:
The example of crafted upx file:
http://overflow.pl/poc/clamav_upx_heap.exe
[pucik@overflow UPX]$ clamscan clamav_upx_heap.exe
*** glibc detected *** double free or corruption (out): 0x08bcbbc0 ***
Przerwane (core dumped)
You can control value of foffset changing "SizeOfRawData" of section 1.
ADDITIONAL INFORMATION
The information has been provided by <mailto:pucik@overflow.pl> Damian
Put.
The original article can be found at:
<http://www.overflow.pl/adv/clamav_upx_heap.txt>
http://www.overflow.pl/adv/clamav_upx_heap.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
