First Last Prev Next    This bug is not in your last search results.
Bug 11940 - Heap overflow in rfc2037(mbox.c)
Heap overflow in rfc2037(mbox.c)
Status: RESOLVED FIXED
Product: ClamAV
Classification: ClamAV
Component: All
ALL
x86_64 GNU/Linux
: P1 security
: 0.99.3
Assigned To: Mickey Sola
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-26 18:45 EDT by Suleman Ali
Modified: 2018-03-11 18:15 EDT (History)
5 users (show)

See Also:
QA Contact:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Suleman Ali 2017-10-26 18:45:33 EDT 
Created attachment 7305 [details]
poc, pass is virus

There is a read out of bounds in `mbox.c:3134` inside the function `rfc2047`:
```c
3136                 b = messageToBlob(m, 1);
3137                 len = blobGetDataSize(b);
3138                 cli_dbgmsg("Decoded as '%*.*s'\n", (int)len, (int)len,
3139                         (const char *)blobGetData(b));
3140                 memcpy(pout, blobGetData(b), len);
3141                 blobDestroy(b);
3142                 messageDestroy(m);
3143                 if(pout[len - 1] == '\n')
3144                         pout += len - 1;
3145                 else
3146                         pout += len;
```

The backtrace is as following:
```c
   #0 0x81a02ae in rfc2047 /tmp/clamav-devel/libclamav/mbox.c:3147:6
    #1 0x81a02ae in parseEmailHeader /tmp/clamav-devel/libclamav/mbox.c:1057
    #2 0x819af54 in parseEmailBody /tmp/clamav-devel/libclamav/mbox.c:1779:7
    #3 0x8194e47 in cli_parse_mbox /tmp/clamav-devel/libclamav/mbox.c:555:11
    #4 0x8194e47 in cli_mbox /tmp/clamav-devel/libclamav/mbox.c:353
    #5 0x8182f73 in cli_scanmail /tmp/clamav-devel/libclamav/scanners.c:2010:16
    #6 0x816e5d2 in magic_scandesc /tmp/clamav-devel/libclamav/scanners.c:3291:19
    #7 0x8167904 in cli_base_scandesc /tmp/clamav-devel/libclamav/scanners.c:3616:11
    #8 0x8176391 in cli_magic_scandesc /tmp/clamav-devel/libclamav/scanners.c:3625:12
    #9 0x8176391 in scan_common /tmp/clamav-devel/libclamav/scanners.c:3891
    #10 0x8177162 in cl_scandesc_callback /tmp/clamav-devel/libclamav/scanners.c:4032:12
    #11 0x8177162 in cl_scanfile_callback /tmp/clamav-devel/libclamav/scanners.c:4099
    #12 0x8177162 in cl_scanfile /tmp/clamav-devel/libclamav/scanners.c:4082
```

Parsing the PoC the variable `len` gets the value `0`. And the operation `pout[len - 1]` reads on byte before the start of the allocated buffer `pout`.

The len is 0 because the PoC has a rfc2047 encoded string without any content:
```c
=? ?b? ?=
```

The PoC is:
```
From: Francisco Oca <foca@salesforce.com> 
Content-Type: multipart/form-data; boundary="test"

--test
=? ?b? ?=
--test--
```

This bug does not crash ClamAv, but can be detected via memory sanitizers/compiling with ASAN.

A posible solution is to validate the len:
```c
3143                 if(len > 0 && pout[len - 1] == '\n')
3144                         pout += len - 1;
3145                 else
3146                         pout += len;
```
Comment 1 Suleman Ali 2017-10-26 18:58:43 EDT 
This vulnerability has been found by Offensive Research at Salesforce.com:
Alberto Garcia (@algillera), Francisco Oca (@francisco_oca) & Suleman Ali (@Salbei_)
Comment 2 Joel Esler 2017-10-27 09:51:35 EDT 
Thank you very much for reporting these issues.  If possible, we'd like to gather some initial first details from you on these.  

First, can you tell us what version of ClamAV you are reporting against?  I notice that you have our git-repository name in the reports, is this a fresh check out of git?
Comment 3 Suleman Ali 2017-10-27 16:09:04 EDT 
This is for the latest version, and yes we did do fresh checkouts from the git. This applies to all the bugs.
Comment 4 Mickey Sola 2017-10-27 17:31:54 EDT 
Cool cool. Looked over the code in context and went ahead and applied the suggested fix.

https://github.com/vrtadmin/clamav-devel/commit/d1100be31a567718ce7c7dd6e6c632eddab55209

Thanks for the hard work here, guys.
First Last Prev Next    This bug is not in your last search results.