11/15/2007

Focus on: ClamAV remote code execution

From today on we will periodically talk about one of the most interesting vulnerabilities present in our marketplace.

Of course, we won’t disclose any technical details on how to reproduce or exploit the vulnerability, we will just give a brief description of it and, most of all, we will describe the impact that it may have on an enterprise and/or home environment.

Today we will discuss about a new ClamAV vulnerability.
As most of you know, ClamAV is an “open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways”. It provides also a set of utilities, like for example a daemon and a command line scanner.

It has been recently submitted to our labs a vulnerability that allows a malicious user to execute arbitrary code on the machine running one of the utilities of the ClamAV suite by simply sending a specially crafted email to the vulnerable mailserver. You can bid on it HERE .
The latest verified vulnerable version is 0.91.1 but other versions could be affected as well (UPDATE: after further tests we can confirm that also 0.91.2 is vulnerable).

As you can obviously imagine, the impact of this vulnerability is ravaging.

ClamAV is used on almost every enterprise mail system based on Linux/Unix. When exploited, this vulnerability allows an attacker to execute arbitrary code on the target machine in the context of the user running the affected application and to have a “base” on the local network / DMZ, thus having the possibility to escalate privileges (if needed) and compromise other servers nearby the attacked one.

Of course, as it’s an antivirus engine designed for mailservers, the attacker can locally escalate his privileges and get access to all the mail traffic to and from the company just by sniffing the traffic on the compromised machine.

In a home scenario, even if ClamAV is not widely used in such environment, the impact can also be high. If a home computer is compromised, the attacker can access documents and files stored on that computer and use these informations to gain higher privileges.

The included PoC works very reliably.

This vulnerability has a starting price of 500 euros: bid on that and, as a security company, you will gain a very high competitive advantage.