Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows

from [nick] Network Security [Permanent Link]
Subject: [Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows
Date: Tue, 26 Jul 2005 11:22:10 +0200
list@rem0te.com wrote: 
Date
July 25, 2005

Vulnerability
ClamAV is the most widely used GPL antivirus library today. It provides file format support for virus analysis. During analysis ClamAV Antivirus Library is vulnerable to buffer overflows allowing attackers complete control of the system. These vulnerabilities can be exploited remotely without user interaction or authentication through common protocols such as SMTP, SMB, HTTP, FTP, etc.

Specifically, ClamAV is responsible for parsing multiple file formats. At least 4 of its file format processors contain remote security bugs. Specifically, during the processing of TNEF, CHM, & FSG formats an attacker is able to trigger several integer overflows that allow attackers to overwrite heap data to obtain complete control of the system. These vulnerabilities can be reached by default and triggered without user interaction by sending an e-mail containing crafted data. 

Impact
Successful exploitation of ClamAV protected systems allows attackers 
unauthorized control of data and related privileges. It also provides leverage 
for further network compromise. ClamAV implementations are likely vulnerable in 
their default configuration.

Affected Products
ClamAV â 0.86.1 (current) and prior

There are numerous implementations of ClamAV listed on their site which are likely 
vulnerable. One party of note is Apple. Apple includes ClamAV by default in Mac OS X 
Server. In addition, ClamAV has been ported to windows and a variety of other 
platforms by third parties whoâs implementations are also likely vulnerable. 
Refer to vendor for specifics.

Credit
These vulnerabilities were discovered and researched by Neel Mehta & Alex 
Wheeler.

Contact
security@rem0te.com 

Details
http://www.rem0te.com/public/images/clamav.pdf







The clamav.net front page says "Latest ClamAV stable release is: 0.86.2".

Is this included in your advisory?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [USN-153-1] fetchmail vulnerability, Martin Pitt
Next by Date:  Re: [Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows, Stelian Ene
Previous by Thread:  [Full-disclosure] ClamAV Multiple Rem0te Buffer Overflows, list
Next by Thread:  Re: [Full-disclosure] Re: ClamAV Multiple Rem0te Buffer Overflows, Stelian Ene
Indexes:  [Date] [Thread] [Top] [All Lists]