Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
Hi,
The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander
Roshal), as it tries to read a negative location from a pointer reference in
the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp).
The values of Addr is 1666528 while Offset is 4546004 which of course results
in -2879476 being accessed, or "even better" the value of 4292087820 as it is
casted to an unsigned value without checking.
On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote:
> Vendor
> ------
> Clam Antivirus (http://www.clamav.net)
>
> Product
> -------
> Clamav (libclamav)
>
> Versions Affected
> -----------------
> All before 0.91
>
> Severity
> --------
> Moderate
>
> Issue
> -----
> Clamav crashes due to processing of standard filters in RAR VM, while
> processing a corrupted RAR file. Processing the corrupted file results in a
> null pointer deference.
>
> Impact
> ------
> Processing the corrupted file will result in crashing of clamscan
> application and clamd daemon.
>
> Fix
> ---
> Upgrade to version 0.91.
>
> PoC
> ---
> http://www.metaeye.org/codes/corrupted.rar
>
> Vendor Status
> -------------
> Reported: 25/06/2007
> Fixed: 11/07/2007
>
>
> References
> ----------
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555
> http://www.metaeye.org/advisories/54
>
>
>
> Metaeye SG // http://www.metaeye.org
--
Noam Rathaus
CTO
1616 Anderson Rd.
McLean, VA 22102
Tel: 703.286.7725 extension 105
Fax: 888.667.7740
noamr@xxxxxxxxxxxxxxxxxx
http://www.beyondsecurity.com