Re: [NSE] Unauthenticated ClamAV Command Exec

[Paulino Calderon <paulino () calderonpale com>]

Hey everyone,

ClamAV finally posted an official response [1] after Rob Graham’s post [2]. However, they don’t mention if these 
‘features’ will be secured in later releases. Frankly I’m a little bit disappointed they didn’t mention what previous 
versions are affected too. Could this protocol be exposed from the very beginning when these ‘features’ were 
introduced? The article basically states not to expose the daemon but we all know how we hate following good practices 
[3].

Anyway, I think the script will help track down other affected versions. I’ve committed the script in r35888.

Cheers.

[1] (http://blog.clamav.net/2016/06/regarding-use-of-clamav-daemons-tcp.html 
<http://blog.clamav.net/2016/06/regarding-use-of-clamav-daemons-tcp.html>)
[2] (http://blog.erratasec.com/2016/06/scanning-for-clamav-0day.html 
<http://blog.erratasec.com/2016/06/scanning-for-clamav-0day.html>)
[3] (https://twitter.com/ErrataRob/status/742200021794324480 <https://twitter.com/ErrataRob/status/742200021794324480>)

> On Jun 12, 2016, at 4:34 PM, Paulino Calderon <paulino () calderonpale com> wrote:
>
> Hey,
>
> Here is an updated version of the script (Only updated a couple of issues with code quality). I forgot to clarify 
> that this is not remote OS command injection but clamav commands. 
> The script supports the commands “SCAN” and “shutdown” now. By default, the script uses the SCAN command against a 
> non existing file to check for the vulnerability. But you can pass a list of filenames to test with the command SCAN 
> (Check screenshot in parent post). I didn’t want to bloat nselib/data with a new database for common UNIX files 
> because it would be only used in this script so for now you need to pass your own list.
>
> Another important thing I left out before is that there is no patch for this yet. This was tested on 0.99.2 but many 
> other previous versions could be vulnerable, hence the script.
>
> Cheers,
>
> description = [[
> Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. 
>
> ClamAV server 0.99.2, and possibly other previous versions, allow the execution 
> of dangerous service commands without authentication. Specifically, the command 'SCAN' 
> may be used to list system files and the command 'SHUTDOWN' shut downs the 
> service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
>
> This script without arguments test the availability of the command 'SCAN'. 
>
> Reference:
> * https://twitter.com/nitr0usmx/status/740673507684679680
> * https://bugzilla.clamav.net/show_bug.cgi?id=11585
> ]]
>
> ---
> -- @usage 
> -- nmap -sV --script clamav-exec <target>
> -- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
> -- nmap --script clamav-exec --script-args cmd='shutdown' <target>
> -- 
> -- @output
> -- PORT     STATE SERVICE VERSION
> -- 3310/tcp open  clam    ClamAV 0.99.2 (21714)
> -- | clamav-exec: 
> -- |   VULNERABLE:
> -- |   ClamAV Remote Command Execution
> -- |     State: VULNERABLE
> -- |       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
> -- |       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
> -- |       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
> -- |       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
> -- |       
> -- |     Disclosure date: 2016-06-8
> -- |     Extra information:
> -- |       SCAN command is enabled.
> -- |     References:
> -- |       https://bugzilla.clamav.net/show_bug.cgi?id=11585
> -- |_      https://twitter.com/nitr0usmx/status/740673507684679680
>
> <clamav-exec.nse>
>
> > On Jun 12, 2016, at 1:20 PM, Paulino Calderon <paulino () calderonpale com> wrote:
> >
> > Hey list,
> >
> > A friend found something interesting in the latest version of ClamAV.
> >
> > Cheers.
> > <clamav-exec.nse><clamav-service-probe><shutdown.png><list.png>

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/