<<< Date Index >>>     <<< Thread Index >>>

Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.



Hi,

The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander 
Roshal), as it tries to read a negative location from a pointer reference in 
the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp).

The values of Addr is 1666528 while Offset is 4546004 which of course results 
in -2879476 being accessed, or "even better" the value of 4292087820 as it is 
casted to an unsigned value without checking.

On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote:
> Vendor
> ------
> Clam Antivirus (http://www.clamav.net)
>
> Product
> -------
> Clamav (libclamav)
>
> Versions Affected
> -----------------
> All before 0.91
>
> Severity
> --------
> Moderate
>
> Issue
> -----
> Clamav crashes due to processing of standard filters in RAR VM, while
> processing a corrupted RAR file. Processing the corrupted file results in a
> null pointer deference.
>
> Impact
> ------
> Processing the corrupted file will result in crashing of clamscan
> application and clamd daemon.
>
> Fix
> ---
> Upgrade to version 0.91.
>
> PoC
> ---
> http://www.metaeye.org/codes/corrupted.rar
>
> Vendor Status
> -------------
> Reported: 25/06/2007
> Fixed:    11/07/2007
>
>
> References
> ----------
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555
> http://www.metaeye.org/advisories/54
>
>
>
> Metaeye SG // http://www.metaeye.org



-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr@xxxxxxxxxxxxxxxxxx
  http://www.beyondsecurity.com