|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=658
|
| |
Vulnerable Systems:
* ClamAV version 0.92
Immune Systems:
* ClamAV version 0.92.1
The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.
Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Address Space Layout Randomization (ASLR) and non-executable memory protection technologies (such as DEP, NX, XD, PaX, etc) can help mitigate exploitation of this type of vulnerability.
Workaround:
Disabling the scanning of PE files will prevent exploitation.
If using clamscan, this can be done by running clamscan with the '--no-pe' option.
If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.
Vendor response:
The ClamAV team has addressed this vulnerability within version 0.92.1. Additionally, the ClamAV team reports, "the vulnerable module was remotely disabled via virus-db update on Jan 11th 2008."
CVE Information:
CVE-2008-0318
Disclosure timeline:
01/07/2008 - Initial vendor notification
01/11/2008 - Initial vendor response
02/12/2008 - Coordinated public disclosure
|
|
|
|
|
