‘ClamAV get_unicode_name() Off-By-One Buffer Overflow’

Details

‘Vulnerable Systems:
 * ClamAV version 0.94

Immune Systems:
 * ClamAV version 0.94.1

The vulnerability occurs inside the get_unicode_name() function in libclamav/vba_extract.c when a specific `name’ buffer is passed to it.

        101 static char *
        102 get_unicode_name(const char *name, int size, int big_endian)
        103 {
        104 int i, increment;
        105 char *newname, *ret;
        106
        107 if((name == NULL) || (*name == ‘’) || (size <= 0))
        108 return NULL;
        109
        110 newname = (char *)cli_malloc(size * 7);

First the `size’ of the `name’ buffer multiplied by 7 is used to allocate the destination buffer `newname’. When the `name’ buffer only consists of characters matching some specific criteria [1] and `big_endian’ is set, the following loop can write exactly 7 characters into the allocated destination buffer `newname’ per character found in source buffer `name’.

This effectively fills up the destination buffer completely. After the loop in line 143, the terminating NUL byte is written and overflows the allocated buffer on the heap.

        143 *ret = ‘’;
        144
        145 /* Saves a lot of memory */
        146 ret = cli_realloc(newname, (ret – newname) + 1);
        147 return ret ? ret : newname;
        148 }

[1] Every character matching the following condition results in 7 characters written to the destination buffer:
                (c & 0x80 || !isprint(c)) && (c >= 10 || c < 0)

A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.

Vendor response:
2008/10/16 – Initial report to vendor
2008/10/16 – Vulnerability acknowledged by acab@clamav.net
2008/11/03 – Release of version 0.94.1′