CVE-2007-1745 in ClamAV
Summary
by MITRE
The chm_decompress_stream function in libclamav/chmunpack.c in Clam AntiVirus (ClamAV) before 0.90.2 leaks file descriptors, which has unknown impact and attack vectors involving a crafted CHM file, a different vulnerability than CVE-2007-0897. NOTE: some of these details are obtained from third party information.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/15/2021
The vulnerability identified as CVE-2007-1745 affects Clam AntiVirus versions prior to 0.90.2, specifically targeting the chm_decompress_stream function within the libclamav/chmunpack.c module. This flaw represents a file descriptor leak vulnerability that occurs during the processing of Compiled HTML Help (CHM) files, which are commonly used documentation formats in Windows environments. The issue arises from improper resource management during decompression operations, where file descriptors remain open even after the decompression process should have completed, creating a potential avenue for resource exhaustion attacks.
The technical implementation of this vulnerability stems from the chm_decompress_stream function failing to properly close file descriptors that are opened during the decompression of CHM archives. When ClamAV processes a crafted CHM file, the function opens multiple file handles to read and decompress the archive contents but does not ensure these handles are properly closed upon completion of the decompression process. This leak can occur repeatedly during multiple file processing operations, leading to gradual accumulation of open file descriptors that consume system resources. The vulnerability is particularly concerning because CHM files are frequently encountered in various attack scenarios, including email attachments, web downloads, and removable media, making this a persistent threat vector.
The operational impact of this vulnerability extends beyond simple resource consumption, as it can potentially lead to denial of service conditions within the antivirus scanning environment. When multiple malicious CHM files are processed, the accumulation of leaked file descriptors can eventually exhaust the system's available file descriptor limit, causing the ClamAV service to become unresponsive or crash entirely. This resource exhaustion scenario creates a significant operational risk for organizations relying on ClamAV for endpoint protection, as it could be exploited by attackers to disrupt security operations. The vulnerability's impact is further amplified by the fact that CHM files are legitimate Windows documentation formats that users frequently encounter, making them an effective vector for covert exploitation.
Security practitioners should consider this vulnerability in the context of the broader ATT&CK framework, particularly under the T1059.007 technique for "Command and Scripting Interpreter: PowerShell" and T1566.001 for "Phishing: Spearphishing Attachment" where crafted CHM files could be used as delivery mechanisms. The vulnerability also aligns with CWE-404, which describes "Improper Resource Deallocation or Release," making it a clear example of resource management failure in security software. Organizations should implement immediate mitigations including upgrading to ClamAV version 0.90.2 or later, which contains the necessary patches to address the file descriptor leak issue. Additionally, administrators should monitor system file descriptor usage and implement rate limiting or sandboxing mechanisms for CHM file processing to reduce the attack surface. The vulnerability serves as a reminder of the critical importance of proper resource management in security applications, as improper handling of system resources can create significant security risks beyond the intended scope of the software's protective functions.