<<< Date Index >>>     <<< Thread Index >>>

ClamAV Multiple Rem0te Buffer Overflows



Date
July 25, 2005

Vulnerability
ClamAV is the most widely used GPL antivirus library today. It provides file 
format support for virus analysis. During analysis ClamAV Antivirus Library is 
vulnerable to buffer overflows allowing attackers complete control of the 
system. These vulnerabilities can be exploited remotely without user 
interaction or authentication through common protocols such as SMTP, SMB, HTTP, 
FTP, etc.

Specifically, ClamAV is responsible for parsing multiple file formats. At least 
4 of its file format processors contain remote security bugs. Specifically, 
during the processing of TNEF, CHM, & FSG formats an attacker is able to 
trigger several integer overflows that allow attackers to overwrite heap data 
to obtain complete control of the system. These vulnerabilities can be reached 
by default and triggered without user interaction by sending an e-mail 
containing crafted data.

Impact
Successful exploitation of ClamAV protected systems allows attackers 
unauthorized control of data and related privileges. It also provides leverage 
for further network compromise. ClamAV implementations are likely vulnerable in 
their default configuration.

Affected Products
ClamAV – 0.86.1 (current) and prior

There are numerous implementations of ClamAV listed on their site which are 
likely vulnerable. One party of note is Apple. Apple includes ClamAV by default 
in Mac OS X Server. In addition, ClamAV has been ported to windows and a 
variety of other platforms by third parties who’s implementations are also 
likely vulnerable. Refer to vendor for specifics.

Credit
These vulnerabilities were discovered and researched by Neel Mehta & Alex 
Wheeler.

Contact
security@xxxxxxxxxx

Details
http://www.rem0te.com/public/images/clamav.pdf