Author: Kelley Greenman
Gentoo, Mandriva, and SUSE issued updates this week to fix vulnerabilities that were discovered in Clam AntiVirus (ClamAV), an anti-virus toolkit for Unix and Linux systems. The software is typically used on mail servers to scan attachments. Several vulnerabilities were discovered in ClamAV in all versions prior to 0.88.1. The ClamAV development team addressed the problem in the latest release, issuing a fix included in version 0.88.1.
The first vulnerability was discovered by Damien Put. According to Put’s original report, released on April 4, 2006, there was an integer overflow vulnerability in the PE header parser, libclamav/pe.c. The problem is located in the cli_scanpe() function in libclamav/pe.c which is used to read Win32 files. The integer overflow leads to a heap-based buffer overflow that could be exploited by an attacker to launch a Denial of Service attack or execute arbitrary code. According to Put’s report, the problem was located in the following lines of code:
libclamav/pe.c:
....
if((dest = (char *) cli_calloc(dsize + 1024 + nsections * 40,
sizeof(char))) == NULL) {
free(section_hdr);
free(src);
return CL_EMEM;
}
...
According to Put, prior to the cli_calloc call, the “dsize + 1024 + nsections * 40” should not overflow the integer variable. However, a maliciously crafted UPX file could be used to alter the values of the “dsize” and “nsections” variables. In this case, “dsize” cannot be larger than ArchiveMaxFileSize. Therefore, the bug only applies to configurations that have disabled ArchiveMaxFileSize option. The problem does not affect default configurations of ClamAV.
To exploit the problem, an attacker can create a malicious UPX file. When the “dest” variable is used in the upx_inflate() function the section is compressed with UPX. Since there isn’t enough memory allocated to “dst,” the subsequent loops will cause a heap overflow condition:
libclamav/upx.c:
...
int upx_inflate2d(char *src, uint32_t ssize, char *dst, uint32_t *dsize,
uint32_t upx0, uint32_t upx1, uint32_t ep)
{
int32_t backbytes, unp_offset = -1, myebx = 0;
int scur=0, dcur=0, i, backsize, oob;
while (1) {
while ( (oob = doubleebx(src, &myebx, &scur, ssize)) == 1) {
if (scur<0 || scur>=ssize || dcur<0 || dcur>=*dsize)
return -1;
dst[dcur++] = src[scur++];
}
...
backsize++;
for (i = 0; i < backsize; i++) {
if (dcur+i<0 || dcur+i>=*dsize || dcur+unp_offset+i<0 ||
dcur+unp_offset+i>=*dsize)
return -1;
dst[dcur + i] = dst[dcur + unp_offset + i];
}
dcur+=backsize;
}
....
The updates from Gentoo, Mandriva, and SUSE also address two other less critical problems. The ClamAV development team discovered the second vulnerability, a flaw which affects all versions prior to ClamAV 0.88.1. The problem is the result of several format string errors located in certain logging functions in “shared/output.c.” The failure to sanitize the arguments properly could be exploited by an attacker in order to execute arbitrary code.
A third problem was discovered by David Luyer. The cli_bitset_set function in ibclamav/others.c yields an out-of-bounds memory access error. The condition could be exploited by an attacker to cause a Denial of Service attack by sending a maliciously crafted email attachment to an email server running ClamAV.
If you run ClamAV on Gentoo, Mandriva, or SUSE, you should be sure to update the packages as soon as possible. Other distributions should be releasing updates soon as well.
Vulnerabilities affecting several distributions
Package: clamav — format string vulnerabilities
CVE: CVE-2006-1614CVE-2006-1615CVE-2006-1630
Date Issued: April 7, 2006
ClamAV, an anti-virus toolkit for Unix-based machines, is subject to several format string vulnerabilities located in the logging code. The update also addressed two other problems that leave ClamAV vulnerable. The security holes could be exploited by an attacker to crash affected applications or execute arbitrary code:
- Damian Put found an integer overflow bug located in the PE header parser, but an attacker can only exploit the vulnerability when the ArchiveMaxFileSize option is disabled.
- David Luyer located an invalid memory access vulnerability. An attacker could cause a Denial of Service by sending a specially crafted email attachment to an email server running ClamAV.
Affected Distributions:Gentoo, Mandriva, SUSE
Vulnerabilities listed by distribution
Debian: libphp-adodb, moodle, cacti — several vulnerabilities
April 8, 2006
Several vulnerabilities have been discovered in the ‘adodb’ database abstraction layer for PHP, libphp-adodb. The problem also affects to popular packages, Moodle, a distance learning course management system, and Cacti, an RRDTool user interface written in PHP/MySQL. Debian has issued an update to fix the following vulnerabilities:
- A remote SQL injection vulnerability was discovered by Andreas Sandblad. When the MySQL root password is empty, an attacker could exploit the vulnerability in order to access or tamper with data, compromise the application, or obtain access to database vulnerabilities to escalate privileges.
- A dynamic code evaluation vulnerability could be exploited by an attacker in order to execute arbitrary SQL commands via the ‘do’ parameter.
- An SQL injection vulnerability, discovered by Andy Staudacher, is due to insufficient input sanitizing. The problem could allow an attacker to launch arbitrary SQL commands.
- The GulfTech Security Research security team located several cross-site scripting (XSS) vulnerabilities. The vulnerabilities could be exploited by an attacker to launch arbitrary scripts in a targeted user’s Web browser.
Debian: zope-cmfplone — vulnerability
April 12, 2006
According to Debian’s security advisory Plone is subject to security exploits because it “lacks security declarations for three internal classes.” Debian has issued an update to fix the problem in the stable distribution (sarge), version 2.0.4-3sarge1.
Debian: horde3 — several vulnerabilities
April 12, 2006
Horde, a Web application framework, contains several vulnerabilities. An attacker could exploit the problems in order to launch arbitrary Web script code. Debian has issued an update that fixes the problem for the stable distribution (sarge), version 3.0.4-4sarge3. The update fixes the following problems:
- Several cross-site scripting (XSS) vulnerabilities affect the “share edit window.” An attacker could exploit the security holes in order to inject arbitrary Web script or HTML code.
- A vulnerability via a null character in the URL parameter in services/go.php could be exploited by a remote attacker to read arbitrary files and gain access to sensitive information.
- An
eval()injection vulnerability could allow a remote attacker to execute arbitrary code by exploiting the weakness in the help viewer.
Mandriva: mplayer — integer overflow vulnerabilities
April 7, 2006
There are several integer overflow vulnerabilities in MPlayer 1.0pre7try2. The security holes could allow a remote attacker to trigger heap-based buffer overflows or Denial of Service attacks. The problems are located in the way asfheader.c handles particular ASF files, as well as the way aviheader.c handles specially crafted AVI files.
Mandriva: openvpn — vulnerability
April 10, 2006
Mandriva issued an update to fix a vulnerability in OpenVPN, versions 2.0 through 2.0.5. OpenVPN incorrectly handles the “setenv” configuration directive and the “LD_PRELOAD” environment variable. Attackers could exploit the problem by loading a specially crafted file on the system to execute arbitrary commands on the compromised client.
Mandriva: sash — vulnerabilities
April 10, 2006
Two vulnerabilities in zlib affect sash, a stand-alone shell for system recovery. A vulnerability in zlib, discovered by Thomas Ormandy, could allow an attacker to corrupt zlib’s data structure, a condition that could cause the linked application to dump core. According to Markus Oberhumber, an attacker could exploit the problem by sending a maliciously crafted compressed stream, which triggers an overflow. Consequently, the linked application may crash when a user opens it. While both of the problems have been fixed in zlib, Mandriva issued an update for sash since it links statically against zlib.
Red Hat : openmotif — vulnerability
April 13, 2006
The popular open source authentication server, FreeRADIUS, contains a validation issue in the EAP-MSCHAPv2 module. The problem could allow an attacker to override authentication controls or launch a Denial of Service attack because there is insufficient input validation when running the EAP-MSCHAPv2 state machine module.
Ubuntu: xscreensaver — vulnerability
April 11, 2006
There is a vulnerability in Xscreensaver, which is a modular screensaver and locker for X Windows Systems. The problem could expose user passwords. Ubuntu’s advisory asks users to upgrade affected packages to version 4.16-1ubuntu3.1 (for Ubuntu 4.10) or 4.16-1ubuntu11.1 (for Ubuntu 5.04).
Ubuntu: xpdf — integer overflow vulnerabilities
April 13, 2006
Several integer overflow vulnerabilities in Xpdf code were discovered by Derek Noonburg. The problem affects Xpdf, the Poppler library, and tetex-bin. The vulnerability could be exploited when an attacker tricks a user into opening a malicious PDF file to execute arbitrary code with the permissions of the application that processes the document. Additionally, since the CUPS printing system draws on Xpdf when converting a PDF file to PostScript, an attacker could exploit the vulnerability by tricking a user into printing a maliciously crafted document in order to execute arbitrary code and gain the privileges assigned to the printer server.
Category:
- Security
