The WabiSabiLabi vulnerability auction house is hyping the sale of a potentially nasty remote code execution flaw in ClamAV, the popular open-source anti-virus toolkit recently acquired by Sourcefire.
WabiSabiLabi, which positions itself as the eBay of software vulnerabilities, said the flaw can be exploited by simply sending a specially crafted e-mail to the vulnerable mail server.
In a blog entry dedicated to this ClamAV bug, WabiSabiLabi said the vulnerability (and reliable proof-of-concept exploit code) allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite.
The latest verified vulnerable version is 0.91.1 but other versions could be affected as well. As you can obviously imagine, the impact of this vulnerability is ravaging.
At 10:53 AM today, there were no bids on the flaw, which opens at 500€ (US$732).
When exploited, the vulnerability allows an attacker to execute arbitrary code on the target machine in the context of the user running the affected application and to have a "base" on the local network/DMZ, thus having the possibility to escalate privileges (if needed) and compromise other servers nearby the attacked one.
Of course, as it's an anti-virus engine designed for mail servers, the attacker can locally escalate his privileges and get access to all the mail traffic to and from the company just by sniffing the traffic on the compromised machine.
In a home scenario, even if ClamAV is not widely used in such environment, the impact can also be high. If a home computer is compromised, the attacker can access documents and files stored on that computer and use these informations to gain higher privileges.
WabiSabiLabi is also brokering the sale of vulnerabilities in Apple's QuickTime (client side remote code execution), IBM DB2 (there's a single bid on one of the DB2 holes), RealNetworks's Helix Server, Samba, FreeBSD and Novell eDirectory.