Zero-day vulnerability in Compress::Raw::Zlib

Off-by-one error
CVE-2009-1391

The vulnerability was exploited in the wild against AMaViS and SpamAssassin using email messages with malicious attachments.

Known malware:

Win-Trojan/Downloader.32768.QT
TR/Crypt.XPACK.Gen
Trojan.Downloader-71014
Trojan.DownLoad.37569
Trojan-Downloader.Win32.Agent.cdir
TrojanDownloader:Win32/Cbeplay.gen!A
Mal/EncPk-FO
TROJ_CBEPLAY.A

Vulnerability details

Advisory: SB2009061301 - Remote code execution in Compress::Raw::Zlib Perl module

Vulnerable component: Compress::Raw::Zlib

CVE-ID: CVE-2009-1391

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-193 - Off-by-one Error

Description:

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to off-by-one error in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017 when processing specially crafted zlib archives. A remote attacker can pass a specially crafted zlib archive to vulnerable application, trigger heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation may allow an attacker to compromise vulnerable system.

Note: this vulnerability is being actively exploited in the wild against AMaViS and SpamAssassin, which use vulnerable Perl module.

Public Exploits: