Home page logo

bugtraq logo Bugtraq mailing list archives

ClamAV Multiple Rem0te Buffer Overflows
From: list () rem0te com
Date: Mon, 25 Jul 2005 13:29:28 +0000

July 25, 2005

ClamAV is the most widely used GPL antivirus library today. It provides file format support for virus analysis. During 
analysis ClamAV Antivirus Library is vulnerable to buffer overflows allowing attackers complete control of the system. 
These vulnerabilities can be exploited remotely without user interaction or authentication through common protocols 
such as SMTP, SMB, HTTP, FTP, etc.

Specifically, ClamAV is responsible for parsing multiple file formats. At least 4 of its file format processors contain 
remote security bugs. Specifically, during the processing of TNEF, CHM, & FSG formats an attacker is able to trigger 
several integer overflows that allow attackers to overwrite heap data to obtain complete control of the system. These 
vulnerabilities can be reached by default and triggered without user interaction by sending an e-mail containing 
crafted data.

Successful exploitation of ClamAV protected systems allows attackers unauthorized control of data and related 
privileges. It also provides leverage for further network compromise. ClamAV implementations are likely vulnerable in 
their default configuration.

Affected Products
ClamAV – 0.86.1 (current) and prior

There are numerous implementations of ClamAV listed on their site which are likely vulnerable. One party of note is 
Apple. Apple includes ClamAV by default in Mac OS X Server. In addition, ClamAV has been ported to windows and a 
variety of other platforms by third parties who’s implementations are also likely vulnerable. Refer to vendor for 

These vulnerabilities were discovered and researched by Neel Mehta & Alex Wheeler.

security () rem0te com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]