Vigil@nce - ClamAV: denial of service via cli_hm_scan
August 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send an email containing a malicious attachment,
in order to generate an error in the cli_hm_scan() function, which
stops ClamAV.
Severity: 2/4
Creation date: 26/07/2011
IMPACTED PRODUCTS
– Clam AntiVirus
DESCRIPTION OF THE VULNERABILITY
The libclamav/matcher-hash.c file implements the management of
virus signature hash, using MD5, SHA1 and SHA256 algorithms.
An email can contain a PDF attachment, containing a malicious
object. When ClamAV analyzes this object, it calls the
cli_scanraw() function which calls the cli_hm_scan() function of
the libclamav/matcher-hash.c file, in order to check if its
signature is known. However, the function reads the memory located
after the last hash, which creates a segmentation error
(especially on Solaris).
An attacker can therefore send an email containing a malicious
attachment, in order to generate an error in the cli_hm_scan()
function, which stops ClamAV.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ClamAV-denial-of-service-via-cli-hm-scan-10870