|
Clam AntiVirus Multiple DoS (MS-Expand File Handling, Cabinet File Handling) |
|
|
|
|
Thursday, 30 June 2005 |
Clam AntiVirus is a GPL anti-virus toolkit for UNIX.
Lack of proper validation by the Clam AntiVirus allows attackers to cause Clam AntiVirus to enter to infinite loop or exhaust file descriptors pool and memory.
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=275&type=vulnerabilities,
http://www.idefense.com/application/poi/display?id=276&type=vulnerabilities
Vulnerable Systems:
* ClamAV version 0.85 and prior
Immune Systems:
* ClamAV version 0.86
MS-Expand File Handling:
The vulnerability specifically exists due to improper behavior during exceptional conditions.
Code Snips:
libclamav/scanners.c:
static int cli_scanszdd(...)
{
[...]
FILE *tmp = NULL, *in;
cli_dbgmsg("in cli_scanmscomp()
");
if((in = fdopen(dup(desc), "rb")) == NULL) {
cli_dbgmsg("SZDD: Cant open descriptor %d
", desc);
return CL_EMSCOMP;
}
if((tmp = tmpfile()) == NULL) {
cli_dbgmsg("SZDD: Cant generate temporary file.
");
fclose(in);
return CL_ETMPFILE;
}
if(cli_msexpand(in, tmp) == -1) {
cli_dbgmsg("SZDD: msexpand failed.
");
return CL_EMSCOMP;
}
[...]
}
Each time the cli_msexpand() function fails , two file descriptors (in and tmp) are leaked. As they are both opened using fopen(), there is also a memory leak (2 * 364 bytes). This allows an attacker to exhaust all of the available file descriptors fairly quickly with around 1,000 malformed files.
Successful exploitation allows attackers to exhaust file descriptors pool and memory. Anti-virus detection functionality will fail if there is no file descriptors available with which to open files. Remote exploitation can be achieved by sending a malicious file in an e-mail message or during an HTTP session.
Cabinet File Handling:
The vulnerability specifically exists due to insufficient validation on cabinet file header data. The ENSURE_BITS() macro fails to check for zero length reads, allowing a carefully constructed cabinet file to cause an infinite loop. The ENSURE_BITS() macro is executed indirectly through the READ_BITS macro and is called from the mszipd_compress function.
Code Snips:
libclamav/mspack/mszipd.c
#define ENSURE_BITS(nbits) do {
while (bits_left < (nbits)) {
if (i_ptr >= i_end) {
if (zipd_read_input(zip)) return zip->error;
i_ptr = zip->i_ptr;
i_end = zip->i_end;
}
bit_buffer |= *i_ptr++ << bits_left; bits_left += 8;
}
} while (0)
#define READ_BITS(val, nbits) do {
ENSURE_BITS(nbits); (val) = PEEK_BITS(nbits); REMOVE_BITS(nbits);
} while (0)
static int zipd_read_input(struct mszipd_stream *zip) {
int read = zip->sys->read(zip->input, &zip->inbuf[0], (int)zip->inbuf_size);
if (read < 0) return zip->error = MSPACK_ERR_READ;
zip->i_ptr = &zip->inbuf[0];
zip->i_end = &zip->inbuf[read];
return MSPACK_ERR_OK;
}
int mszipd_decompress(...)
{
[...]
do {
READ_BITS(i, 8);
if (i == C) state = 1;
else if ((state == 1) && (i == K)) state = 2;
else state = 0;
} while (state != 2);
[...]
}
Modification of the cffile_FolderOffset to 0xff in a CAB file can cause a read of zero, resulting in the infinite loop.
ClamAV is used in a number of mail gateway products. Successful exploitation requires an attacker to send a specially constructed CAB file through a mail gateway or personal anti-virus client utilizing the ClamAV scanning engine. The infinite loop will cause the ClamAV software to use all available processor resources, resulting in a denial of service or severe degradation to system performance. Remote exploitation can be achieved by sending a malicious file in an e-mail message or during an HTTP session.
CVE Information:
CAN-2005-1922
CAN-2005-1923
Disclosure Timeline:
06/07/2005 - Initial vendor notification
06/08/2005 - Initial vendor response
06/29/2005 - Public disclosure |