ClamAV get_unicode_name() off-by-one buffer overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ClamAV get_unicode_name() off-by-one buffer overflow
From: Moritz Jodeit <moritz@xxxxxxxxxx>
Date: Sat, 8 Nov 2008 12:57:22 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow

Copyright (c) 2008 Moritz Jodeit <moritz@xxxxxxxxxx> (2008/11/08)
-----------------------------------------------------------------

Application details:

        From http://www.clamav.net/:

        "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
        designed especially for e-mail scanning on mail gateways. It provides
        a number of utilities including a flexible and scalable multi-threaded
        daemon, a command line scanner and advanced tool for automatic
        database updates. The core of the package is an anti-virus engine
        available in a form of shared library."

Vulnerability description:

        ClamAV contains an off-by-one heap overflow vulnerability in the
        code responsible for parsing VBA project files. Successful
        exploitation could allow an attacker to execute arbitrary code with
        the privileges of the `clamd' process by sending an email with a
        prepared attachment.

        The vulnerability occurs inside the get_unicode_name() function
        in libclamav/vba_extract.c when a specific `name' buffer is passed
        to it.

        101 static char *
        102 get_unicode_name(const char *name, int size, int big_endian)
        103 {
        104         int i, increment;
        105         char *newname, *ret;
        106
        107         if((name == NULL) || (*name == '\0') || (size <= 0))
        108                 return NULL;
        109
        110         newname = (char *)cli_malloc(size * 7);

        First the `size' of the `name' buffer multiplied by 7 is used to
        allocate the destination buffer `newname'. When the `name' buffer
        only consists of characters matching some specific criteria [1]
        and `big_endian' is set, the following loop can write exactly 7
        characters into the allocated destination buffer `newname' per
        character found in source buffer `name'.

        This effectively fills up the destination buffer completely. After
        the loop in line 143, the terminating NUL byte is written and
        overflows the allocated buffer on the heap.

        143         *ret = '\0';
        144
        145         /* Saves a lot of memory */
        146         ret = cli_realloc(newname, (ret - newname) + 1);
        147         return ret ? ret : newname;
        148 }

        [1] Every character matching the following condition results in
            7 characters written to the destination buffer:

                (c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)

        A VBA project file embedded inside an OLE2 office document send
        as an attachment can trigger the off-by-one.

Vendor response:

        2008/10/16 Initial report to vendor
        2008/10/16 Vulnerability acknowledged by acab@xxxxxxxxxx
        2008/11/03 Release of version 0.94.1

Vulnerable packages:

        All versions up to 0.94 are vulnerable.
        Version 0.94.1 fixes the problem.

Attachment: pgplpKfHsdyUK.pgp
Description: PGP signature

Prev by Date: Metrica Service Assurance Multiple Cross Site Scripting
Next by Date: [ GLSA 200811-02 ] Gallery: Multiple vulnerabilities
Previous by thread: Metrica Service Assurance Multiple Cross Site Scripting
Next by thread: [ GLSA 200811-02 ] Gallery: Multiple vulnerabilities
Index(es):
- Date
- Thread