>
> Clam AntiVirus tnef_attachment() DoS Vulnerability
>
> iDEFENSE Security Advisory 11.04.05
>
> November 4, 2005
>
> I. BACKGROUND
>
> Clam AntiVirus is a GPL anti-virus toolkit for Unix.
>
> II. DESCRIPTION
>
> Remote exploitation of a design error in Clam AntiVirus ClamAV allows
> attackers to cause a denial of service (DoS) condition.
>
> The vulnerability specifically exists in the tnef_attachment function
> within tnef.c. A user controlled value is used to fseek into the file
> that is being processed; this allows a user to specify the same block
> for scanning repeatedly, thus leading to an infinite loop.
> The following
>
> one line code snippet from the tnef processor demonstrates the flaw:
>
> fseek(fp, (long)(offset + length), SEEK_SET); /* shouldn't
> be needed */
>
>
> When this code is reached, length is supplied by the file being
> processed. This makes it possible to seek back to the
> previous header,
> causing the infinite loop to begin. Furthermore, if the block
> is marked
> as an attachment, the data that is repeatedly read will be added to a
> dynamically allocated memory buffer, making memory exhaustion trivial.
>
> III. ANALYSIS
>
> Successful exploitation requires an attacker to send a specially
> constructed CAB file through a mail gateway or personal anti-virus
> client utilizing the ClamAV scanning engine.
>
> The infinite loop will cause the ClamAV software to use all available
> processor resources, resulting in a DoS or severe degradation
> of system
> performance. Ultimately, the OOM handler will terminate a task to
> alleviate the stress on the system.
>
> IV. DETECTION
>
> iDEFENSE has confirmed this vulnerability on ClamAV 0.86.1.
> All previous
>
> versions are suspected vulnerable to this issue.
>
> V. WORKAROUND
>
> Archive file analysis can be disabled (--no-archive) but this
> can have
> severe impacts on the virus detection functionality.
>
> VI. VENDOR RESPONSE
>
> The vendor has released clamav 0.87.1 to address this
> vulnerability. It
> is available for download at:
>
>
>
> ?download
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
> number has not
> been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/07/2005 Initial vendor notification
> 10/12/2005 Initial vendor response
> 11/04/2005 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
