add information for clamav vulnerabilities

CVE-2006-4018/README.md

@@ -2,14 +2,128 @@
 
 ## Experiment Environment
 
+Ubuntu 10.04 LTS
+
 ## INSTALL & Configuration
 
+```
+wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-4182/clamav-0.88.2.tar.gz
+tar -xvf clamav-0.88.2.tar.gz
+cd clamav-0.88.2
+./configure
+make
+sudo make install
+```
+
 ## Problems in Installation & Configuration
 
+
 ## How to trigger vulnerability
 
+```
+/usr/local/bin/clamscan 28348.exe
+```
+
 ## PoCs
 
-## Vulnerability Patch
+[Clam Anti-Virus ClamAV 0.88.x - UPX Compressed PE File Heap Buffer Overflow](https://www.exploit-db.com/exploits/28348/)
+
+[Clam Anti-Virus ClamAV UPX Compressed PE File Heap Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/19381/exploit)
+
+## Vulnerability Details & Patch
+
+### Root Cause
+
+Remote exploitation of a heap overflow vulnerability could allow execution of
+arbitrary code or cause denial of service.
+
+Vulnerability exists in pefromupx() function, that is used to buil 
+Win32 PE file
+from UPX packed file.
+
+The vulnerable code is:
+
+```
+libclamav/upx.c:
+------------
+int pefromupx (char *src, char *dst, uint32_t *dsize, uint32_t ep, uint32_t
+upx0, uint32_t upx1, uint32_t magic)
+{
+	char *imports, *sections, *pehdr, *newbuf;
+	int sectcnt, upd=1;
+	uint32_t realstuffsz;
+	uint32_t foffset=0xd0+0xf8;
+
+	imports = dst + cli_readint32(src + ep - upx1 + magic);
+	realstuffsz = imports-dst;
+
+	if (realstuffsz >= *dsize ) {
+		cli_dbgmsg("UPX: wrong realstuff size - giving up rebuild\n");
+		return 0;
+	}
+	....
+```
+
+OK first we check that realstuffsz is not larger than dsize.
+
+```
+	....
+	foffset+=0x28*sectcnt;
+
+	if (!CLI_ISCONTAINED(dst, *dsize, sections, 0x28*sectcnt)) {
+		cli_dbgmsg("UPX: Not enough space for all sects - giving up rebuild\n");
+		return 0;
+	}
+....
+```
+
+Now we check that we have enough space for section headers.
+
+```
+....
+
+	for (upd = 0; upd <sectcnt ; upd++) {
+		uint32_t vsize=cli_readint32(sections+8)-1;
+		uint32_t rsize=cli_readint32(sections+16);
+		uint32_t urva=cli_readint32(sections+12);
+
+		.....
+
+		cli_writeint32(sections+8, vsize);
+		cli_writeint32(sections+20, foffset);
+		foffset+=rsize;
+		sections+=0x28;
+	}
+
+....
+```
+
+Now, we add to foffset rsize value of all sections and we DON`T check
+that we have enough space in *dst.
+
+```
+....
+
+	/* CBA restoring the imports they'll look different from the originals
+	anyway... */
+	/* ...and yeap i miss the icon too :P */
+
+	memcpy(dst, newbuf, foffset);
+	*dsize = foffset;
+	free(newbuf);
+
+	cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
+	return 1;
+}
+
+....
+```
+
+And there is our heap overflow. We copy from newbuf to dst pointer foffset
+bytes, but we don`t check that foffset > *dsize.
+
+### Stack Trace
+
+### Patch
 
 ## References

CVE-2006-4182/README.md

@@ -2,14 +2,42 @@
 
 ## Experiment Environment
 
+Ubuntu 10.04 LTS
+
 ## INSTALL & Configuration
 
+```
+wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-4182/clamav-0.88.2.tar.gz
+tar -xvf clamav-0.88.2.tar.gz
+cd clamav-0.88.2
+./configure
+make
+sudo make install
+```
+
 ## Problems in Installation & Configuration
 
+
 ## How to trigger vulnerability
 
+```
+/usr/local/bin/clamscan 2587.exe
+```
+
 ## PoCs
 
-## Vulnerability Patch
+[Clam Anti-Virus PE Rebuilding Heap Buffer Overflow Vulnerability](https://www.securityfocus.com/bid/20535/exploit)
+
+[Clam AntiVirus 0.88.4 - 'rebuildpe' Remote Heap Overflow (PoC)](https://www.exploit-db.com/exploits/2587/)
+
+## Vulnerability Details & Patch
+
+### Root Cause
+
+Integer overflow in rebuildpe.c of ClamAV 0.88.1 and 0.88.4, allows remote attackers to cause a denial of service (scanning service crash) via a crafted Portable Executable (PE) file that leads to a heap-based buffer overflow when less memory is allocated than expected.
+
+### Stack Trace
+
+### Patch
 
 ## References

CVE-2006-5295/README.md

@@ -1,19 +1,49 @@
-# CVE/EDB ID
+# CVE-2006-5295
 
 ## Experiment Environment
 
+Ubuntu 10.04 LTS
+
 ## INSTALL & Configuration
 
+```
+wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-4182/clamav-0.88.2.tar.gz
+tar -xvf clamav-0.88.2.tar.gz
+cd clamav-0.88.2
+./configure
+make
+sudo make install
+```
+
 ## Problems in Installation & Configuration
 
 ## How to trigger vulnerability
 
+### Method 1
+
+```
+/usr/local/bin/clamscan clam_namelen_dos.chm
+```
+
+### Method 2
+
+```
+perl 2586.pl
+/usr/local/bin/clamscan clam.cfm
+```
+
 ## PoCs
 
+[Clam Anti-Virus CHM Unpacker Denial Of Service Vulnerability](https://www.securityfocus.com/bid/20537/exploit)
+
+[Clam AntiVirus 0.88.4 - CHM Chunk Name Length Denial of Service (PoC)](https://www.exploit-db.com/exploits/2586/)
+
 ## Vulnerability Details & Patch
 
 ### Root Cause
 
 ### Stack Trace
 
+### Patch
+
 ## References

README.md

@@ -84,10 +84,11 @@ If you encounter problems with keyword "Failed to lock files", you could try to
 - [ ] CVE-2006-3581
 - [ ] CVE-2006-3582
 - [ ] CVE-2006-3746
-- [ ] CVE-2006-4018
+- [x] CVE-2006-4018
 - [ ] CVE-2006-4089
 - [x] CVE-2006-4144
 - [x] CVE-2006-4182
+- [x] CVE-2006-4812
 - [x] CVE-2006-5276
 - [ ] CVE-2006-5295
 - [ ] CVE-2006-5465
@@ -110,6 +111,7 @@ If you encounter problems with keyword "Failed to lock files", you could try to
 - [x] CVE-2007-4060
 - [x] CVE-2007-4965
 - [ ] CVE-2007-5301
+- [x] CVE-2007-5759 
 - [ ] CVE-2007-6015
 - [ ] CVE-2007-6454
 - [ ] CVE-2007-6697