News
Vigil@nce: ClamAV, bypassing via CAB RAR ZIP
June 2009 by Vigil@nce
An attacker can create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
Severity: 2/4
Consequences: data flow
Provenance: document
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 2
Creation date: 16/06/2009
IMPACTED PRODUCTS
Clam AntiVirus
DESCRIPTION OF THE VULNERABILITY
The ClamAV antivirus detects viruses contained in CAB/RAR/ZIP archives. However, an attacker can create a malformed archive, which can still be opened by extraction tools, but which cannot be opened by the antivirus.
The Winrar, Winzip and 7-Zip tools search the magic header (for example "PK" for a ZIP file) in the first 50000 bytes of the file. However, ClamAV only searches the magic header in the first bytes of a RAR/ZIP file, and thus does not uncompress the infected file to check it. [grav:2/4]
When a CAB file has an invalid size, ClamAV does not scan it. [grav:2/4; TZO-43-2009]
An attacker can therefore create a CAB/RAR/ZIP archive containing a virus which is not detected by ClamAV.
CHARACTERISTICS
Identifiers: BID-35398, BID-35410, BID-35426, TZO-40-2009, TZO-43-2009, VIGILANCE-VUL-8799
http://vigilance.fr/vulnerability/ClamAV-bypassing-via-CAB-RAR-ZIP-8799
