CVE-2022-20803 - How a Simple OLE2 File Can Crash ClamAV (Exploit Details Included)

---

Introduction

Antivirus software like Clam AntiVirus (ClamAV) is meant to protect us from malicious files, but sometimes, a bug in the software itself opens up new vulnerabilities. CVE-2022-20803 is a real-world example of this: a vulnerability in how ClamAV parses certain document files can let an attacker crash the antivirus engine with no authentication required.

In this article, we'll break down how this vulnerability works, explore the code issue, and look at how an attacker could actually trigger it. We use simple, plain English, and show you just how subtle but dangerous this kind of bug can be.

What is CVE-2022-20803?

- CVE-2022-20803 is a vulnerability found in the OLE2 file parser in ClamAV, specifically in versions .104. through .104.2.
- OLE2 files are a container format used by Microsoft Office documents (think old .doc and .xls files).
- The bug is triggered by incorrect memory management in the parser — specifically, by mishandling the realloc() function, leading to a double-free error.
- An attacker just needs to make ClamAV scan a specially crafted OLE2 file; no login or authentication needed.

What’s a “Double-Free”?

A *double-free* happens when a program tells the operating system to free the same piece of memory twice. This can corrupt memory management data. In the best case, the program just crashes. In the worst case (not here, but sometimes), it can be used to execute malicious code.

How the Bug Happens (With Code)

The problem lies in the way ClamAV resizes memory for parsing OLE2 files. Here's a simplified snippet that captures the essence:

char *buffer = malloc(INITIAL_SIZE);
// ... Some parsing logic
char *tmp = realloc(buffer, NEW_SIZE);
if (!tmp) {
    free(buffer);  // <--- This is correct if tmp is NULL (realloc failed)
    return -1;
}
buffer = tmp;

But due to logic issues later in ClamAV's OLE2 parser, sometimes both tmp and buffer point to the same thing AND are both freed independently, causing a double free.

Here’s an example of problematic logic that can happen

void process_ole2_file(const char *file) {
    char *buf = malloc(SIZE);
    // ... parsing
    buf = realloc(buf, NEW_SIZE);

    if (error_condition) {
        free(buf);   // <-- First free
        // ... some code, another error here
        free(buf);   // <-- Second free, crashes or corrupts the program!
    }
}

This simplified snippet shows how, if the error handling isn't careful, memory can be freed more than once.

Real-World Impact

- Denial of Service (DoS): The main impact here is making ClamAV crash. If you send the right kind of file, the antivirus scanner process will just die.
- If you rely on ClamAV to protect your email or file uploads, an attacker could repeatedly send these crafted OLE2 files to keep your protection offline.

Attacker creates an OLE2 file that will corrupt ClamAV’s memory management when scanned.

2. Attacker uploads the file to a mail gateway, fileserver, or web service that uses ClamAV to scan uploads.

As soon as the file is scanned, the ClamAV process handling the scan crashes due to the double-free.

4. The attacker repeats as needed, keeping antivirus protection offline or making for easier delivery of real malicious files.

If you want to see a simplified proof-of-concept, here’s what it might look like (pseudocode)

# This does not create a valid exploit file, but shows the delivery process

import requests

# Assume target scans files on upload
url = "https://targetsite.com/upload";
file_data = b"FAKE_OLE2_HEADER" + b"A" * 4096  # Crafted to trigger double free

files = {
    "file": ("exploit.doc", file_data, "application/msword")
}

response = requests.post(url, files=files)
print(response.text)

The actual malicious file would require crafting a broken OLE2 structure that triggers the exact bug (see the official bug report or crafted files in references for details).

References and Further Reading

- Cisco Security Advisory: CVE-2022-20803
- ClamAV Release Notes and Patch
- National Vulnerability Database Entry
- GitHub: ClamAV OLE2 Parser Source

Upgrade ClamAV: This bug was fixed in version .104.3 and above.

- Layer Security: Don’t let public users have direct access to file scanning if you can avoid it.

Conclusion

CVE-2022-20803 shows how even security software like antivirus can become a target due to common coding mistakes. Memory bugs like double-free are sneaky and can open the door to attackers — even if the only result here is a denial of service, it’s still a serious threat for organizations relying on ClamAV. If you use ClamAV, update it now!


Share this article with your security team before someone else shares a crafted OLE2 file with your ClamAV installation!

Timeline

Published on: 02/17/2023 18:15:00 UTC
Last modified on: 02/28/2023 16:22:00 UTC