ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the 'clamd' process by sending an email with a prepared attachment. Versions below 0.94.1 are affected.
6cc70ca47bd8e70a162e0b466166e4ae4e11b76c25c6b31b93bb29214c73de19
-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow
Copyright (c) 2008 Moritz Jodeit <moritz@jodeit.org> (2008/11/08)
-----------------------------------------------------------------
Application details:
From http://www.clamav.net/:
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic
database updates. The core of the package is an anti-virus engine
available in a form of shared library."
Vulnerability description:
ClamAV contains an off-by-one heap overflow vulnerability in the
code responsible for parsing VBA project files. Successful
exploitation could allow an attacker to execute arbitrary code with
the privileges of the `clamd' process by sending an email with a
prepared attachment.
The vulnerability occurs inside the get_unicode_name() function
in libclamav/vba_extract.c when a specific `name' buffer is passed
to it.
101 static char *
102 get_unicode_name(const char *name, int size, int big_endian)
103 {
104 int i, increment;
105 char *newname, *ret;
106
107 if((name == NULL) || (*name == '\0') || (size <= 0))
108 return NULL;
109
110 newname = (char *)cli_malloc(size * 7);
First the `size' of the `name' buffer multiplied by 7 is used to
allocate the destination buffer `newname'. When the `name' buffer
only consists of characters matching some specific criteria [1]
and `big_endian' is set, the following loop can write exactly 7
characters into the allocated destination buffer `newname' per
character found in source buffer `name'.
This effectively fills up the destination buffer completely. After
the loop in line 143, the terminating NUL byte is written and
overflows the allocated buffer on the heap.
143 *ret = '\0';
144
145 /* Saves a lot of memory */
146 ret = cli_realloc(newname, (ret - newname) + 1);
147 return ret ? ret : newname;
148 }
[1] Every character matching the following condition results in
7 characters written to the destination buffer:
(c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)
A VBA project file embedded inside an OLE2 office document send
as an attachment can trigger the off-by-one.
Vendor response:
2008/10/16 Initial report to vendor
2008/10/16 Vulnerability acknowledged by acab@clamav.net
2008/11/03 Release of version 0.94.1
Vulnerable packages:
All versions up to 0.94 are vulnerable.
Version 0.94.1 fixes the problem.