Nmap Development mailing list archives



Re: [NSE] Unauthenticated ClamAV Command Exec

Hey, Here is an updated version of the script (Only updated a couple of issues with code quality). I forgot to clarify that this is not remote OS command injection but clamav commands. The script supports the commands “SCAN” and “shutdown” now. By default, the script uses the SCAN command against a non existing file to check for the vulnerability. But you can pass a list of filenames to test with the command SCAN (Check screenshot in parent post). I didn’t want to bloat nselib/data with a new database for common UNIX files because it would be only used in this script so for now you need to pass your own list. Another important thing I left out before is that there is no patch for this yet. This was tested on 0.99.2 but many other previous versions could be vulnerable, hence the script. Cheers, description = [[ Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. ClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). This script without arguments test the availability of the command 'SCAN'. Reference: * https://twitter.com/nitr0usmx/status/740673507684679680 * https://bugzilla.clamav.net/show_bug.cgi?id=11585 ]] --- -- @usage -- nmap -sV --script clamav-exec <target> -- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target> -- nmap --script clamav-exec --script-args cmd='shutdown' <target> -- -- @output -- PORT STATE SERVICE VERSION -- 3310/tcp open clam ClamAV 0.99.2 (21714) -- | clamav-exec: -- | VULNERABLE: -- | ClamAV Remote Command Execution -- | State: VULNERABLE -- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the -- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' -- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the -- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). -- | -- | Disclosure date: 2016-06-8 -- | Extra information: -- | SCAN command is enabled. -- | References: -- | https://bugzilla.clamav.net/show_bug.cgi?id=11585 -- |_ https://twitter.com/nitr0usmx/status/740673507684679680

Attachment: clamav-exec.nse

Description:

On Jun 12, 2016, at 1:20 PM, Paulino Calderon <paulino () calderonpale com> wrote: Hey list, A friend found something interesting in the latest version of ClamAV. Cheers. <clamav-exec.nse><clamav-service-probe><shutdown.png><list.png>

_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/

By Date By Thread

Current thread: