On Sun, 30 Dec 2007 21:49:11 -0600 Chris <[EMAIL PROTECTED]> wrote: > Saw this link at SANS today, anything to it? > > http://seclists.org/fulldisclosure/2007/Dec/0625.html > > Or is this a rehash of something already known about?
A few comments on the advisory: "1) ClamAV uses own functions to create temporary files. One such routine is vulnerable to a race condition attack." The analysis is incorrect. The author mistakenly assumed that name_salt is fixed and this is not true. After each call to cli_gentemp() name_salt gets updated with a new MD5 digest and then used in generating new temporary name, updated again and so on. Together with 48 pseudo-random bytes(*) used in hashing it makes a solution practically resistant to race conditions. (*) since we MD5-hash them together with a varying name_salt, the quality of the pseudo-random numbers is not that important here "2) ClamAV fails to properly check for base64-UUEncoded files, allowing bypassing of the scanner through the use of such files." This is not really a security bug but rather a lack of feature. Any (massive) attempt to bypass the uuencode decoder can be stopped with regular signatures thanks to the fact that ClamAV additionally scans all files in raw mode. "3) The sigtool utility included in the ClamAV distribution fails to handle created files in a secure way." Sigtool is primarily a tool for signature database developers and by no means it was designed to be run with SUID/SGID bits set. There is no practical exploitation of this "vulnerability" and it should not be considered a security issue. HTH, -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Wed Jan 2 20:56:35 CET 2008 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
