Thread-topic: iDEFENSE Security Advisory 11.04.05: Clam AntiVirus Cabinet-filehandling Denial of Service Vulnerability
>
> Clam AntiVirus Cabinet-file handling Denial of Service Vulnerability
>
> iDEFENSE Security Advisory 11.04.05
>
> November 4, 2005
>
> I. BACKGROUND
>
> Clam AntiVirus is a GPL anti-virus toolkit for Unix.
>
> II. DESCRIPTION
>
> Remote exploitation of a design error in Clam AntiVirus ClamAV allows
> attackers to cause a denial of service (DoS) condition.
>
> The vulnerability specifically exists with the libmspack
> library, which
> is included in ClamAV. The vulnerability can be found in the cabd_find
> function within mspack/cabd.c:
>
> for (offset = 0; offset < flen; offset += length) {
> length = flen - offset;
>
> [... read length from file ...]
>
> for (p = &buf[0], pend = &buf[length]; p < pend; ) {
> switch (state) {
> [ ... ]
> case 19:
> => header has been completely read, cablen has been read from
> bytes 8-11
>
> [...]
>
> /* likely cabinet found -- try reading it */
> cab = sys->alloc(sys, sizeof(struct mscabd_cabinet_p); => an
> mscabd_cabinet_p entry will be allocated each time
>
> /* cabinet read correctly! */
> offset = caboff + cablen;
> => if cablen (and caboff) == 0, offset will be equal to 0
>
> [...]
>
> /* restart search */
> [...]
> length = 0;
> p = pend;
> state = 0;
> => if offset == 0, we will restart at the beginning of the file =>
> (because length == 0, so offset will still be zero in the next
> iteration)
> break;
> }
> }
> }
>
>
>
> If this function is called with a length value of zero, an
> infinite loop
> occurs. The comments above explain the scenario.
>
> III. ANALYSIS
>
> Successful exploitation requires an attacker to send a specially
> constructed CAB file through a mail gateway or personal anti-virus
> client utilizing the ClamAV scanning engine.
>
> The infinite loop will cause the ClamAV software to use all available
> processor resources, resulting in a denial of service or severe
> degradation of system performance. Ultimately, the OOM handler will
> terminate a task in order to alleviate the stress on the system.
>
> IV. DETECTION
>
> iDEFENSE has confirmed this vulnerability on ClamAV 0.86.1.
> All previous
> versions are suspected vulnerable to this issue.
>
> V. WORKAROUND
>
> Archive file analysis can be disabled (--no-archive) but this can have
> severe impacts on the virus detection functionality.
>
> VI. VENDOR RESPONSE
>
> The vendor has released clamav 0.87.1 to address this
> vulnerability. It
> is available for download at:
>
>
>
> ?download
>
> VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE)
> number has not
> been assigned yet.
>
> VIII. DISCLOSURE TIMELINE
>
> 10/07/2005 Initial vendor notification
> 10/12/2005 Initial vendor response
> 11/04/2005 Coordinated public disclosure
>
> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.
>
> Get paid for vulnerability research
>
>
> Free tools, research and upcoming events
>
> X. LEGAL NOTICES
>
> Copyright (c) 2005 iDEFENSE, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDEFENSE. If you wish to reprint the whole or any
> part of this alert in any other medium other than
> electronically, please
> email customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available
> information. Use
> of the information constitutes acceptance for use in an AS IS
> condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any
> direct, indirect,
> or consequential loss or damage arising from use of, or reliance on,
> this information.
>
