Vigil@nce: ClamAV, bypassing via RAR
April 2009 by Vigil@nce
An attacker can create a RAR archive containing a virus which is
not detected by ClamAV.
– Severity: 2/4
– Consequences: data flow
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/04/2009
IMPACTED PRODUCTS
– Clam AntiVirus
DESCRIPTION OF THE VULNERABILITY
The ClamAV antivirus supports archives in RAR format.
A RAR archive indicates the size which will be needed to store its
content ("uncompressed size").
However, if this size is big enough, ClamAV does not analyze the
content of the archive. If it contains viruses, they are thus
undetected.
An attacker can therefore create a RAR archive containing a virus
which is not detected by ClamAV.
CHARACTERISTICS
– Identifiers: BID-34344, CVE-2009-1241, TZO-05-2009,
VIGILANCE-VUL-8595
– Url: http://vigilance.fr/vulnerability/ClamAV-bypassing-via-RAR-8595
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2