On Fri, 13 Apr 2007, Tomasz Kojm wrote: > On Thu, 12 Apr 2007 18:08:06 -0400 > James Kosin <[EMAIL PROTECTED]> wrote: > >> I just tested and clamd will try to read any file with the extension >> of .cvd in the /var/lib/clamav directory. >> My simple question is: >> "Could this pose a security or virus scanning problem if someone >> managed to place an empty or invalid .cvd file intensionally in the >> database directory?" > > And what if the same person replaces clamd with a backdoor? Did you hear > about filesystem permissions?
He does have a point and it's not about filesystem permissions, unless you run clamd as root.... You don't... Do you? If there is a remote security hole in a non-root process such as clamd that has write access to /var/lib/clamav but not to /usr/sbin/clamd or /usr/bin/freshclam then it is possible to remotely cause a DOS on clamd by placing a blank file called whatever.cvd and waiting for clamd to be reloaded by freshclam. Another example would be a specially crafted attachment that gets scanned and exploits the user clamd runs as. Not that this is possible right now but it could happen. Clamd could be made to handle empty cvd files in a better manner, if other files can be used instead of main.cvd and daily.cvd. Regards James > > -- James Bourne | Email: [EMAIL PROTECTED] UNIX Systems Administration | WWW: http://www.hardrock.org Custom UNIX Programming | Linux: The choice of a GNU generation ---------------------------------------------------------------------- "All you need's an occasional kick in the philosophy." Frank Herbert _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
