Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
7330.c
CVE-2008-5314.patch
README.md

README.md

CVE-2008-5314

Experiment Environment

Ubuntu 14.04.3 LTS

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2008-5314/clamav-0.93.3.tar.gz
cd clamav-0.93.3/
mkdir build
./configure --prefix ${PWD}/build
make
make install

Note: when you just make to compile clamav, you will get one clamscan in the fold clamscan, but it is one script. The easiest method to find the executable binary is make install. However, we don't want to install this software in the default directory /usr/local/. Just use --prefix to specify its installation directory.

Problems in Installation & Configuration

1. configure: error: User clamav (and/or group clamav) doesn't exist. Please read the documentation !

Solution:

$ sudo adduser clamav

How to trigger vulnerability

$ gcc -o exploit 7330.c
$ ./exploit
done, now run clamscan on ./clamav-jpeg-crash.jpg
$ mv clamav-jpeg-crash.jpg build/bin/
$ cd build/bin/
$ ./clamscan clamav-jpeg-crash.jpg 

PoCs

ClamAV < 0.94.2 - JPEG Parsing Recursive Stack Overflow (PoC)

Vulnerability Patch

Root Cause

jpeg_check_photoshop, jpeg_check_photoshop_8bim, cli_check_jpeg_exploit recursive call

Stack Trace

#0  0xb7f6c538 in cli_check_jpeg_exploit (fd=fd@entry=3) at special.c:188
#1  0xb7f6c887 in jpeg_check_photoshop_8bim (fd=3) at special.c:141
#2  jpeg_check_photoshop (fd=3) at special.c:167
#3  cli_check_jpeg_exploit (fd=fd@entry=3) at special.c:230
#4  0xb7f6c887 in jpeg_check_photoshop_8bim (fd=3) at special.c:141
#5  jpeg_check_photoshop (fd=3) at special.c:167
#6  cli_check_jpeg_exploit (fd=fd@entry=3) at special.c:230
#7  0xb7f6c887 in jpeg_check_photoshop_8bim (fd=3) at special.c:141
#8  jpeg_check_photoshop (fd=3) at special.c:167
#9  cli_check_jpeg_exploit (fd=fd@entry=3) at special.c:230
......

Patch

Index: branches/clamav-0.94/libclamav/scanners.c
===================================================================
--- branches/clamav-0.94/libclamav/scanners.c	(revision 4477)
+++ branches/clamav-0.94/libclamav/scanners.c	(revision 4478)
@@ -1334,13 +1334,13 @@
     return ret;
 }
 
-static int cli_scanjpeg(int desc, const char **virname)
+static int cli_scanjpeg(int desc, cli_ctx *ctx)
 {
 	int ret = CL_CLEAN;
 
-    if(cli_check_jpeg_exploit(desc) == 1) {
+    if(cli_check_jpeg_exploit(desc, ctx) == 1) {
 	ret = CL_VIRUS;
-	*virname = "Exploit.W32.MS04-028";
+	*ctx->virname = "Exploit.W32.MS04-028";
     }
 
     return ret;
@@ -2020,7 +2020,7 @@
 
 	case CL_TYPE_GRAPHICS:
 	    if(SCAN_ALGO && (DCONF_OTHER & OTHER_CONF_JPEG))
-		ret = cli_scanjpeg(desc, ctx->virname);
+		ret = cli_scanjpeg(desc, ctx);
 	    break;
 
         case CL_TYPE_PDF: /* FIXMELIMITS: pdf should be an archive! */
Index: branches/clamav-0.94/libclamav/special.c
===================================================================
--- branches/clamav-0.94/libclamav/special.c	(revision 4477)
+++ branches/clamav-0.94/libclamav/special.c	(revision 4478)
@@ -85,7 +85,7 @@
     return retval;
 }
 
-static int jpeg_check_photoshop_8bim(int fd)
+static int jpeg_check_photoshop_8bim(int fd, cli_ctx *ctx)
 {
 	unsigned char bim[5];
 	uint16_t id, ntmp;
@@ -140,7 +140,7 @@
 	/* Jump past header */
 	lseek(fd, 28, SEEK_CUR);
 
-	retval = cli_check_jpeg_exploit(fd);
+	retval = cli_check_jpeg_exploit(fd, ctx);
 	if (retval == 1) {
 		cli_dbgmsg("Exploit found in thumbnail\n");
 	}
@@ -149,7 +149,7 @@
 	return retval;
 }
 
-static int jpeg_check_photoshop(int fd)
+static int jpeg_check_photoshop(int fd, cli_ctx *ctx)
 {
 	int retval;
 	unsigned char buffer[14];
@@ -166,7 +166,7 @@
 	cli_dbgmsg("Found Photoshop segment\n");
 	do {
 		old = lseek(fd, 0, SEEK_CUR);
-		retval = jpeg_check_photoshop_8bim(fd);
+		retval = jpeg_check_photoshop_8bim(fd, ctx);
 		new = lseek(fd, 0, SEEK_CUR);
 		if(new <= old)
 			break;
@@ -178,7 +178,7 @@
 	return retval;
 }

References

CVE-2008-5314 clamav: DoS / crash via crafted jpeg image

You can’t perform that action at this time.