lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200707111832.53929.noamr@beyondsecurity.com>
Date: Wed, 11 Jul 2007 18:32:53 +0300
From: Noam Rathaus <noamr@...ondsecurity.com>
To: contact@...aeye.org
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: Advisory - Clam AntiVirus RAR File Handling
	Denial Of Service Vulnerability.

Hi,

The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander 
Roshal), as it tries to read a negative location from a pointer reference in 
the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp).

The values of Addr is 1666528 while Offset is 4546004 which of course results 
in -2879476 being accessed, or "even better" the value of 4292087820 as it is 
casted to an unsigned value without checking.

On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote:
> Vendor
> ------
> Clam Antivirus (http://www.clamav.net)
>
> Product
> -------
> Clamav (libclamav)
>
> Versions Affected
> -----------------
> All before 0.91
>
> Severity
> --------
> Moderate
>
> Issue
> -----
> Clamav crashes due to processing of standard filters in RAR VM, while
> processing a corrupted RAR file. Processing the corrupted file results in a
> null pointer deference.
>
> Impact
> ------
> Processing the corrupted file will result in crashing of clamscan
> application and clamd daemon.
>
> Fix
> ---
> Upgrade to version 0.91.
>
> PoC
> ---
> http://www.metaeye.org/codes/corrupted.rar
>
> Vendor Status
> -------------
> Reported: 25/06/2007
> Fixed:    11/07/2007
>
>
> References
> ----------
> https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555
> http://www.metaeye.org/advisories/54
>
>
>
> Metaeye SG // http://www.metaeye.org



-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr@...ondsecurity.com
  http://www.beyondsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ