|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634
|
| |
Vulnerable Systems:
* ClamAV version 0.91.2
Immune Systems:
* ClamAV version 0.92
The vulnerability exists within the code responsible for parsing PE files packed with the MEW packer. During unpacking, two untrusted values are taken directly from the file without being validated. These values are later used in an arithmetic operation to calculate the size used to allocate a heap buffer. This calculation can overflow, resulting in a buffer of insufficient size being allocated. This later leads to arbitrary areas of memory being overwritten with attacker supplied data.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav.
In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Workaround:
Disabling the scanning of PE files will prevent exploitation. If using clamscan, this can be done by running clamscan with the '--no-pe' option. If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.
CVE Information:
CVE-2007-5759
Disclosure timeline:
10/17/2007 - Initial vendor notification
10/18/2007 - Initial vendor response
12/18/2007 - Coordinated public disclosure
|
|
|
|
|
