TippingPoint Zero Day Initiative

Clam AntiVirus UPX Unpacking Code Execution Vulnerability

ZDI-06-001: January 12th, 2006

CVE ID

CVE-2006-0162

Affected Vendors

Clam AntiVirus

Affected Products

Clam AntiVirus

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable Clam AntiVirus installations. Authentication is not required to exploit this vulnerability.

This specific flaw exists within libclamav/upx.c during the unpacking of executable files compressed with UPX. Due to an invalid size calculation during a data copy from the user-controlled file to heap allocated memory, an exploitable memory corruption condition is created.

Vendor Response

Clam AntiVirus states:

Addressed in Clam AntiVirus version 0.88:

http://sf.net/project/shownotes.php?release_id=384086&group_id=86638

Disclosure Timeline

2005-12-13 - Vulnerability reported to vendor
2006-01-12 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Anonymous

Published Advisories

ZDI-08-047: RealNetworks

• published 2008-07-25

ZDI-08-046: RealNetworks

• published 2008-07-25

ZDI-08-045: Apple

• published 2008-07-25

ZDI-08-044: Mozilla Firefox

• published 2008-07-17

ZDI-08-043: Sun Microsystems

• published 2008-07-17

Upcoming Advisories

Microsoft

• reported 2008-07-08, 23 days ago

EMC

• reported 2008-07-07, 24 days ago

EMC

• reported 2008-07-07, 24 days ago

Adobe

• reported 2008-07-03, 28 days ago

Symantec

• reported 2008-06-26, 35 days ago

Recent Press

Apple releases new Mac OS X 10.5.5

• published 2008-07-31, ITWire

High-priority patch fixes critical vulns in RealPlayer

• published 2008-07-25, The Register

Firefox 3.0.1 Fixes 'Carpet Bombing' Issue

• published 2008-07-17, SlashDot

iPhone and iPod Touch updated with security patches

• published 2008-07-11, CNET

Apple TV gets a security update

• published 2008-07-10, CNET