Vulnerabilities > CVE-2009-1372 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Clamav
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-097.NASL description Multiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. This update provides clamav 0.95.1, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 38165 published 2009-04-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38165 title Mandriva Linux Security Advisory : clamav (MDVSA-2009:097) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:097. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(38165); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:51"); script_cve_id("CVE-2008-6680", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372"); script_bugtraq_id(34344); script_xref(name:"MDVSA", value:"2009:097"); script_name(english:"Mandriva Linux Security Advisory : clamav (MDVSA-2009:097)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. This update provides clamav 0.95.1, which is not vulnerable to these issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 94, 119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-db"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-milter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.1", reference:"clamav-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"clamav-db-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"clamav-milter-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"clamd-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64clamav-devel-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64clamav6-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libclamav-devel-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libclamav6-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"clamav-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"clamav-db-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"clamav-milter-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", reference:"clamd-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64clamav-devel-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64clamav6-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libclamav-devel-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libclamav6-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_CLAMAV-6201.NASL description This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371). last seen 2020-06-01 modified 2020-06-02 plugin id 38180 published 2009-04-27 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/38180 title openSUSE 10 Security Update : clamav (clamav-6201) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update clamav-6201. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(38180); script_version ("1.9"); script_cvs_date("Date: 2019/10/25 13:36:36"); script_cve_id("CVE-2009-1371", "CVE-2009-1372"); script_name(english:"openSUSE 10 Security Update : clamav (clamav-6201)"); script_summary(english:"Check for the clamav-6201 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371)." ); script_set_attribute( attribute:"solution", value:"Update the affected clamav packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav-db"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"clamav-0.95.1-0.1") ) flag++; if ( rpm_check(release:"SUSE10.3", reference:"clamav-db-0.95.1-0.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav"); }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2009-005.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server last seen 2020-06-01 modified 2020-06-02 plugin id 40945 published 2009-09-11 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40945 title Mac OS X Multiple Vulnerabilities (Security Update 2009-005) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(40945); script_version("1.21"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2008-2079", "CVE-2008-5498", "CVE-2008-6680", "CVE-2009-0590", "CVE-2009-0591", "CVE-2009-0789", "CVE-2009-0949", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1271", "CVE-2009-1272", "CVE-2009-1371", "CVE-2009-1372", "CVE-2009-1862", "CVE-2009-1863", "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868", "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2468", "CVE-2009-2800", "CVE-2009-2803", "CVE-2009-2804", "CVE-2009-2805", "CVE-2009-2807", "CVE-2009-2809", "CVE-2009-2811", "CVE-2009-2812", "CVE-2009-2813", "CVE-2009-2814"); script_bugtraq_id( 29106, 33002, 34256, 34357, 35759, 36350, 36354, 36355, 36357, 36358, 36359, 36360, 36361, 36363, 36364 ); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-005)"); script_summary(english:"Check for the presence of Security Update 2009-005"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server" ); script_set_attribute( attribute:"see_also", value:"http://support.apple.com/kb/HT3865" ); script_set_attribute( attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html" ); script_set_attribute( attribute:"see_also", value:"http://www.securityfocus.com/advisories/17867" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2009-005 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 59, 79, 94, 119, 189, 200, 264, 287, 399); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } # uname = get_kb_item("Host/uname"); if (!uname) exit(1, "The 'Host/uname' KB item is missing."); if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing."); if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[5-9]|20[1-9][0-9]-)", string:packages)) exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected."); else security_hole(0); } else if (egrep(pattern:"Darwin.* (9\.[0-8]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing."); if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[5-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages)) exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected."); else security_hole(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_1_CLAMAV-090416.NASL description This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371). last seen 2020-06-01 modified 2020-06-02 plugin id 40200 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40200 title openSUSE Security Update : clamav (clamav-809) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update clamav-809. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(40200); script_version("1.12"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2009-1371", "CVE-2009-1372"); script_name(english:"openSUSE Security Update : clamav (clamav-809)"); script_summary(english:"Check for the clamav-809 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=493562" ); script_set_attribute( attribute:"solution", value:"Update the affected clamav packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav-db"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.1", reference:"clamav-0.95.1-0.1.1") ) flag++; if ( rpm_check(release:"SUSE11.1", reference:"clamav-db-0.95.1-0.1.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200909-04.NASL description The remote host is affected by the vulnerability described in GLSA-200909-04 (Clam AntiVirus: Multiple vulnerabilities) Multiple vulnerabilities have been found in ClamAV: The vendor reported a Divide-by-zero error in the PE ( last seen 2020-06-01 modified 2020-06-02 plugin id 40912 published 2009-09-10 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40912 title GLSA-200909-04 : Clam AntiVirus: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200909-04. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(40912); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-6680", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372"); script_xref(name:"GLSA", value:"200909-04"); script_name(english:"GLSA-200909-04 : Clam AntiVirus: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200909-04 (Clam AntiVirus: Multiple vulnerabilities) Multiple vulnerabilities have been found in ClamAV: The vendor reported a Divide-by-zero error in the PE ('Portable Executable'; Windows .exe) file handling of ClamAV (CVE-2008-6680). Jeffrey Thomas Peckham found a flaw in libclamav/untar.c, possibly resulting in an infinite loop when processing TAR archives in clamd and clamscan (CVE-2009-1270). Martin Olsen reported a vulnerability in the CLI_ISCONTAINED macro in libclamav/others.h, when processing UPack archives (CVE-2009-1371). Nigel disclosed a stack-based buffer overflow in the 'cli_url_canon()' function in libclamav/phishcheck.c when processing URLs (CVE-2009-1372). Impact : A remote attacker could entice a user or automated system to process a specially crafted UPack archive or a file containing a specially crafted URL, possibly resulting in the remote execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. Furthermore, a remote attacker could cause a Denial of Service by supplying a specially crafted TAR archive or PE executable to a Clam AntiVirus instance. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200909-04" ); script_set_attribute( attribute:"solution", value: "All Clam AntiVirus users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-antivirus/clamav-0.95.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 94, 119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-antivirus/clamav", unaffected:make_list("ge 0.95.2"), vulnerable:make_list("lt 0.95.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Clam AntiVirus"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-327.NASL description Multiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides clamav 0.95.2, which is not vulnerable to these issues. Additionally klamav-0.46 is being provided that has support for clamav-0.95+. last seen 2020-06-01 modified 2020-06-02 plugin id 43076 published 2009-12-09 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43076 title Mandriva Linux Security Advisory : clamav (MDVSA-2009:327) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2009:327. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(43076); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:52"); script_cve_id("CVE-2008-6680", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372"); script_bugtraq_id(34344); script_xref(name:"MDVSA", value:"2009:327"); script_name(english:"Mandriva Linux Security Advisory : clamav (MDVSA-2009:327)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides clamav 0.95.2, which is not vulnerable to these issues. Additionally klamav-0.46 is being provided that has support for clamav-0.95+." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 94, 119, 189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-db"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-milter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:klamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", reference:"clamav-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"clamav-db-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"clamav-milter-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"clamd-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"klamav-0.46-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64clamav-devel-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64clamav6-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libclamav-devel-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libclamav6-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id CLAMAV_0_95_1.NASL description According to its version, the clamd antivirus daemon on the remote host is earlier than 0.95.1. Such versions are affected by multiple vulnerabilities : - ClamAV might crash while scanning certain malicious files packed with UPack. (Bug #1552) - ClamAV might crash while using last seen 2020-06-01 modified 2020-06-02 plugin id 36131 published 2009-04-10 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36131 title ClamAV < 0.95.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(36131); script_version("1.16"); script_cvs_date("Date: 2018/07/06 11:26:07"); script_cve_id("CVE-2009-1371", "CVE-2009-1372"); script_bugtraq_id(34446); script_name(english:"ClamAV < 0.95.1 Multiple Vulnerabilities"); script_summary(english:"Sends a VERSION command to clamd"); script_set_attribute(attribute:"synopsis", value:"The remote antivirus service is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the clamd antivirus daemon on the remote host is earlier than 0.95.1. Such versions are affected by multiple vulnerabilities : - ClamAV might crash while scanning certain malicious files packed with UPack. (Bug #1552) - ClamAV might crash while using 'cli_url_canon'. (Bug #1553)"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.clamav.net/show_bug.cgi?id=1552"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.clamav.net/show_bug.cgi?id=1553" ); script_set_attribute(attribute:"solution", value:"Upgrade to ClamAV 0.95.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("find_service2.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/clamd", 3310); exit(0); } include("audit.inc"); include("global_settings.inc"); # nb: banner checks of open source software are prone to false- # positives so only run the check if reporting is paranoid. if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_kb_item("Services/clamd"); if (!port) port = 3310; if (!get_port_state(port)) exit(0); # Establish a connection. soc = open_sock_tcp(port); if (!soc) exit(0); # Send a VERSION command. req = "VERSION"; send(socket:soc, data:req+'\r\n'); res = recv_line(socket:soc, length:128); if (!strlen(res) || "ClamAV " >!< res) exit(0); # Check the version. version = strstr(res, "ClamAV ") - "ClamAV "; if ("/" >< version) version = version - strstr(version, "/"); if (version =~ "^0\.(([0-9]|[0-8][0-9]|9[0-4])($|[^0-9])|95($|[^0-9.]))") { if (report_verbosity > 0) { report = string( "\n", "ClamAV version ", version, " appears to be running on the remote host based on\n", "the following response to a 'VERSION' command :\n", "\n", " ", res, "\n" ); security_warning(port:port, extra:report); } else security_warning(port); }NASL family SuSE Local Security Checks NASL id SUSE9_12402.NASL description This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives. (CVE-2009-1371) last seen 2020-06-01 modified 2020-06-02 plugin id 41295 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41295 title SuSE9 Security Update : ClamAV (YOU Patch Number 12402) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(41295); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:33"); script_cve_id("CVE-2009-1371", "CVE-2009-1372"); script_name(english:"SuSE9 Security Update : ClamAV (YOU Patch Number 12402)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 9 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives. (CVE-2009-1371)" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2009-1371/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2009-1372/" ); script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12402."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(20, 119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SUSE9", reference:"clamav-0.95.1-0.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family SuSE Local Security Checks NASL id SUSE_11_0_CLAMAV-090417.NASL description This clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371). last seen 2020-06-01 modified 2020-06-02 plugin id 39935 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39935 title openSUSE Security Update : clamav (clamav-809)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 34446 CVE(CAN) ID: CVE-2009-1371,CVE-2009-1372 Clam AntiVirus是Unix的GPL杀毒工具包,很多邮件网关产品都在使用。 ClamAV的libclamav/phishcheck.c文件中的cli_url_canon函数存在栈溢出漏洞,远程攻击者可以通过提交恶意的URL来触发这个溢出,导致执行任意代码。 如果用户使用ClamAV扫描到了UPack编码的畸形文件的话,libclamav/others.h文件的CLI_ISCONTAINED宏中的安全漏洞可能导致应用程序崩溃。 ClamAV < 0.95.1 ClamAV ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://freshmeat.net/urls/c9bfa0aa2a4b8f3dc21e37debf0b05e5 target=_blank rel=external nofollow>http://freshmeat.net/urls/c9bfa0aa2a4b8f3dc21e37debf0b05e5</a> |
| id | SSV:5106 |
| last seen | 2017-11-19 |
| modified | 2009-04-25 |
| published | 2009-04-25 |
| reporter | Root |
| title | ClamAV UPack拒绝服务和cli_url_canon()栈溢出漏洞 |
References
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html
- http://osvdb.org/53603
- http://secunia.com/advisories/34612
- http://secunia.com/advisories/36701
- http://support.apple.com/kb/HT3865
- http://svn.clamav.net/websvn/filedetails.php?repname=clamav-devel&path=%2Ftrunk%2FChangeLog&rev=5032
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:097
- http://www.securityfocus.com/bid/34446
- http://www.securitytracker.com/id?1022028
- http://www.vupen.com/english/advisories/2009/0985
- https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1553