Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.

To: contact@xxxxxxxxxxx
Subject: Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
From: Noam Rathaus <noamr@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Jul 2007 18:32:53 +0300
Cc: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
In-reply-to: <4694F37F.2090301@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Beyond Security
References: <4694F37F.2090301@xxxxxxxxxxx>
User-agent: KMail/1.9.7

Hi,

The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander 
Roshal), as it tries to read a negative location from a pointer reference in 
the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp).

The values of Addr is 1666528 while Offset is 4546004 which of course results 
in -2879476 being accessed, or "even better" the value of 4292087820 as it is 
casted to an unsigned value without checking.

On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote:
> Vendor
> ------
> Clam Antivirus (http://www.clamav.net)
>
> Product
> -------
> Clamav (libclamav)
>
> Versions Affected
> -----------------
> All before 0.91
>
> Severity
> --------
> Moderate
>
> Issue
> -----
> Clamav crashes due to processing of standard filters in RAR VM, while
> processing a corrupted RAR file. Processing the corrupted file results in a
> null pointer deference.
>
> Impact
> ------
> Processing the corrupted file will result in crashing of clamscan
> application and clamd daemon.
>
> Fix
> ---
> Upgrade to version 0.91.
>
> PoC
> ---
> http://www.metaeye.org/codes/corrupted.rar
>
> Vendor Status
> -------------
> Reported: 25/06/2007
> Fixed:    11/07/2007
>
>
> References
> ----------
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555
> http://www.metaeye.org/advisories/54
>
>
>
> Metaeye SG // http://www.metaeye.org



-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr@xxxxxxxxxxxxxxxxxx
  http://www.beyondsecurity.com

Follow-Ups:
- Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
  - From: Metaeye SG

References:
- Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
  - From: Metaeye SG

Prev by Date: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
Next by Date: Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
Previous by thread: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
Next by thread: Re: Advisory - Clam AntiVirus RAR File Handling Denial Of Service Vulnerability.
Index(es):
- Date
- Thread