Clam AV Win32-FSG File Handling DoS Vulnerability
09.19.05BACKGROUND
Clam Antivirus is a GPL anti-virus toolkit for Unix. It is used in
several anti-virus gateways and available for free on multiple platforms
(Unix, Windows, MacOS X, BeOS, etc.).
More information about Clam AntiVirus is available from:
DESCRIPTION
Remote exploitation of a file handling vulnerability in Clam AntiVirus
ClamAV allows attackers to cause a denial of service (DoS) condition.
Fast Small Good (FSG) is a compressor for small Win32 EXE files. Remote
exploitation of an unexpected condition in the decompression of FSG
(v1.33) files allow attackers to cause a denial of service condition.
The vulnerability specifically exists in the unfsg_133() [fsg.c]
function when trying to sort the sections. The sort algorithm does not
expect two sections to have the same Relative Virtual Address (RVA),
leading to an infinite loop (permanently swapping the two sections). The
following code excerpt illustrates this issue:
int upd = 1;
[...]
while (upd) {
upd = 0;
for (i = 0; i < sectcount ; i++) {
if ( sections[i].rva < sections[i+1].rva )
continue; [...swap 'i' and 'i+1' section...]
upd = 1;
}
}
ANALYSIS
Successful exploitation requires an attacker to send a specially
constructed FSG file through a mail gateway or personal anti-virus
client utilizing the ClamAV scanning engine.
The infinite loop will cause the ClamAV software to use all available
processor resources, resulting in a denial of service or severe
degradation to system performance.
Remote exploitation can be achieved by sending a malicious file in an
e-mail message or during an HTTP session.
DETECTION
This issue was tested to work with ClamAV 0.86. The vulnerable code
was added in Clam AntiVirus 0.80. All versions between .80 and .86
are believed vulnerable
WORKAROUND
The following patch can be applied to fix the vulnerability:
diff -ruN clamav-0.86.1/libclamav/fsg.c
clamav-0.86.1-fsg-fix/libclamav/fsg.c
--- clamav-0.86.1/libclamav/fsg.c Thu Jun 23 22:03:12 2005
+++ clamav-0.86.1-fsg-fix/libclamav/fsg.c Tue Jul 12 09:40:18 2005
@@ -235,7 +235,7 @@
for (i = 0; i < sectcount ; i++) {
uint32_t trva,trsz,traw;
- if ( sections[i].rva < sections[i+1].rva )
+ if ( sections[i].rva <= sections[i+1].rva )
continue;
trva = sections[i].rva;
traw = sections[i].raw;
Windows PE EXE files analysis can be disabled (--no-pe) but this can have
severe impacts on the virus detection functionality.
VENDOR RESPONSE
ClamAV has released version 0.87 to correct this issue.
http://sourceforge.net/project/showfiles.php?group_id=86638
CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2919 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
DISCLOSURE TIMELINE
09/08/2005 Initial vendor notification
09/19/2005 Initial vendor response
09/19/2005 Public disclosure
CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
Free tools, research and upcoming events
http://labs.idefense.com
LEGAL NOTICES
Copyright © 2005 Verisign, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.