ClamAV ’get_unicode_name‘函数单字节堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184661 漏洞类型 缓冲区溢出
发布时间 2008-11-09 更新时间 2009-02-13
CVE编号 CVE-2008-5050 CNNVD-ID CNNVD-200811-195
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/32207
https://cxsecurity.com/issue/WLB-2008110022
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200811-195
|漏洞详情
ClamAntiVirus是Unix的GPL杀毒工具包,很多邮件网关产品都在使用。ClamAnti-Virus(ClamAV)的get_unicode_name函数存在单字节堆溢出漏洞。远程攻击者可以利用一个特制的VBA工程文件,触发堆缓冲区溢出,从而造成拒绝服务(崩溃)或可能执行任意代码。
|漏洞EXP
-----------------------------------------------------------------
ClamAV get_unicode_name() off-by-one buffer overflow

Copyright (c) 2008 Moritz Jodeit <moritz_at_jodeit&#46;org> (2008/11/08)
-----------------------------------------------------------------

Application details:

        From http://www.clamav.net/:

        "Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
        designed especially for e-mail scanning on mail gateways. It provides
        a number of utilities including a flexible and scalable multi-threaded
        daemon, a command line scanner and advanced tool for automatic
        database updates. The core of the package is an anti-virus engine
        available in a form of shared library."

Vulnerability description:

        ClamAV contains an off-by-one heap overflow vulnerability in the
        code responsible for parsing VBA project files. Successful
        exploitation could allow an attacker to execute arbitrary code with
        the privileges of the `clamd' process by sending an email with a
        prepared attachment.

        The vulnerability occurs inside the get_unicode_name() function
        in libclamav/vba_extract.c when a specific `name' buffer is passed
        to it.

        101 static char *
        102 get_unicode_name(const char *name, int size, int big_endian)
        103 {
        104         int i, increment;
        105         char *newname, *ret;
        106
        107         if((name == NULL) || (*name == '\0') || (size <= 0))
        108                 return NULL;
        109
        110         newname = (char *)cli_malloc(size * 7);

        First the `size' of the `name' buffer multiplied by 7 is used to
        allocate the destination buffer `newname'. When the `name' buffer
        only consists of characters matching some specific criteria [1]
        and `big_endian' is set, the following loop can write exactly 7
        characters into the allocated destination buffer `newname' per
        character found in source buffer `name'.

        This effectively fills up the destination buffer completely. After
        the loop in line 143, the terminating NUL byte is written and
        overflows the allocated buffer on the heap.

        143         *ret = '\0';
        144
        145         /* Saves a lot of memory */
        146         ret = cli_realloc(newname, (ret - newname) + 1);
        147         return ret ? ret : newname;
        148 }

        [1] Every character matching the following condition results in
            7 characters written to the destination buffer:

                (c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)

        A VBA project file embedded inside an OLE2 office document send
        as an attachment can trigger the off-by-one.

Vendor response:

        2008/10/16 Initial report to vendor
        2008/10/16 Vulnerability acknowledged by acab_at_clamav&#46;net
        2008/11/03 Release of version 0.94.1

Vulnerable packages:

        All versions up to 0.94 are vulnerable.
        Version 0.94.1 fixes the problem.



|受影响的产品
Ubuntu Ubuntu Linux 8.10 sparc Ubuntu Ubuntu Linux 8.10 powerpc Ubuntu Ubuntu Linux 8.10 lpia Ubuntu Ubuntu Linux 8.10 i386 Ubuntu Ubuntu Linux 8.10 amd64 SuSE SUSE Linux
|参考资料

来源:BID
名称:32207
链接:http://www.securityfocus.com/bid/32207
来源:FEDORA
名称:FEDORA-2008-9651
链接:https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00348.html
来源:FEDORA
名称:FEDORA-2008-9644
链接:https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00332.html
来源:XF
名称:clamav-getunicode
名称-bo(46462)
链接:http://xforce.iss.net/xforce/xfdb/46462
来源:BUGTRAQ
名称:20081108ClamAVget_unicode_
名称()off-by-onebufferoverflow
链接:http://www.securityfocus.com/archive/1/archive/1/498169/100/0/threaded
来源:MANDRIVA
名称:MDVSA-2008:229
链接:http://www.mandriva.com/security/advisories?name=MDVSA-2008:229
来源:VUPEN
名称:ADV-2009-0422
链接:http://www.frsirt.com/english/advisories/2009/0422
来源:VUPEN
名称:ADV-2008-3085
链接:http://www.frsirt.com/english/advisories/2008/3085
来源:DEBIAN
名称:DSA-1680
链接:http://www.debian.org/security/2008/dsa-1680
来源:support.apple.com
链接:http://support.apple.com/kb/HT3438
来源:sourceforge.net
链接:http://sourceforge.net/project/shownotes.php?release_id=637952&group_id=