Vigil@nce: ClamAV, double free via VBA
February 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malformed VBA code, and send it to a
ClamAV computer, in order to create a double memory free, leading
to a denial of service and possibly to code execution.
– Severity: 2/4
– Creation date: 08/02/2011
IMPACTED PRODUCTS
– Clam AntiVirus
DESCRIPTION OF THE VULNERABILITY
The Clam AntiVirus analyzes VBA (Visual Basic for Applications)
macros contained inside Microsoft Office documents.
The vba_read_project_strings() function of the
libclamav/vba_extract.c file detects the encoding type (big endian
or little endian) of VBA data. In order to do so, it reads two
bytes. However, if the file is truncated after the first byte, the
second byte cannot be read, so the function prematurely exits, and
frees twice the memory area containing data.
An attacker can therefore create a malformed VBA code, and send it
to a ClamAV computer, in order to create a double memory free,
leading to a denial of service and possibly to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ClamAV-double-free-via-VBA-10335