From owner-freebsd-security@FreeBSD.ORG Thu Feb 14 15:10:41 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2792016A56F for ; Thu, 14 Feb 2008 15:10:41 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 296DB13C4D5 for ; Thu, 14 Feb 2008 15:10:40 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:Date:From:To:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender:X-Spam-Status:Subject; b=G8wSzpIfudAxvUTX6LSE7WsfpSGFiSXHLUm1I43HsSU3y2di1zdcrDx9KBlRYZXwHmujgjS9SColauel7tSyFsueJorpBW7BbpXRJG8yP1mCZrbF5s63wrUgM9qOyPXNqTA3NKS045hhG67in+oa+jxkUx7ORUFbH8BOtg8Nv5o=; Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256) id 1JPfjS-000H2b-BQ for freebsd-security@freebsd.org; Thu, 14 Feb 2008 18:10:38 +0300 Date: Thu, 14 Feb 2008 18:10:37 +0300 From: Eygene Ryabinkin To: freebsd-security@freebsd.org Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: Sender: rea-fbsd@codelabs.ru X-Spam-Status: No, score=-2.3 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_05 Subject: Re: VuXML entry for CVE-2008-0318 (libclamav) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2008 15:10:41 -0000 Good day. Wed, Feb 13, 2008 at 06:38:46PM +0300, Eygene Ryabinkin wrote: > Attached is the draft of the VuXML entry for the new ClamAV > vulnerability. As pointed to me by Remko Lodder, the attachment was stripped. Resending it inline. Remko, thanks again for pointing me to this pity fact! ----- clamav -- ClamAV libclamav PE File Integer Overflow Vulnerability clamav 0.920.92.1

iDefense Security Advisory 02.12.08:

Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.

The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.

Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.

Workaround

Disabling the scanning of PE files will prevent exploitation.

If using clamscan, this can be done by running clamscan with the '--no-pe' option.

If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.

Vendor response

The ClamAV team has addressed this vulnerability within version 0.92.1. Additionally, the ClamAV team reports, "the vulnerable module was remotely disabled via virus-db update on Jan 11th 2008."

 CVE-2008-0318 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=658 http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog 2008-01-07 ----- -- Eygene