Heap-based buffer overflow in the pefromupx function in libclamav/upx.c in Clam AntiVirus (ClamAV) 0.81 through 0.88.3 allows remote attackers to execute arbitrary code via a crafted UPX packed file containing sections with large rsize values.

Damian Put discovered a boundary error in the UPX extraction module in ClamAV which is used to unpack PE Windows executables. This could be abused to cause a Denial of Service issue and potentially allow for the execution of arbitrary code with the permissions of the user running clamscan or clamd.

Updated packages have been patched to correct this issue.

Damian Put discovered a heap overflow vulnerability in the UPX unpacker of the ClamAV anti-virus toolkit which could allow remote attackers to execute arbitrary code or cause denial of service.

The remote host is affected by the vulnerability described in GLSA-200608-13 (ClamAV: Heap buffer overflow)

    Damian Put has discovered a boundary error in the pefromupx() function     used by the UPX extraction module, which unpacks PE Windows executable     files. Both the 'clamscan' command-line utility and the 'clamd' daemon     are affected.
  Impact :

    By sending a malicious attachment to a mail server running ClamAV, a     remote attacker can cause a Denial of Service and potentially the     execution of arbitrary code with the permissions of the user running     ClamAV.
  Workaround :

    There is no known workaround at this time.

Clamav team reports :

A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code.

The problem is specifically located in the PE file rebuild function used by the UPX unpacker.

Relevant code from libclamav/upx.c :

memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf);

cli_dbgmsg('UPX: PE structure rebuilt from compressed file\n'); return 1;

Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block.

The remote host is running ClamAV, an antivirus application.  There is a remote content-parsing flaw in this version of ClamAV that could lead to a heap overflow by sending a malformed file compressed with UPX.  Successful exploitation would result in the attacker executing arbitrary code. 

ID	Name	Product	Family	Severity
23887	Mandrake Linux Security Advisory : clamav (MDKSA-2006:138)	Nessus	Mandriva Local Security Checks	high
22695	Debian DSA-1153-1 : clamav - buffer overflow	Nessus	Debian Local Security Checks	high
22199	GLSA-200608-13 : ClamAV: Heap buffer overflow	Nessus	Gentoo Local Security Checks	high
22198	FreeBSD : clamav -- heap overflow vulnerability (342d2e48-26db-11db-9275-000475abc56f)	Nessus	FreeBSD Local Security Checks	high
3701	ClamAV < 0.88.4 UPX rsize Content-Parsing Overflow (deprecated)	Nessus Network Monitor	Web Clients	medium

Detections

Analytics

CVE-2006-4018

critical

Tenable Plugins

high

high

high

high

medium