Hello together,
we had a penetration test of our application (moodle) a few weeks ago
and in the background we use CLAM-AV as antivirus.
During this test the following behavior was observed with Clam-AV:
If an external server is specified as part of the filename when
uploading a file that is objected to by the virus scanner, a
corresponding DNS request is sent to it (e. g. S1_hostname.txt). The
same happens if instead of the bare server name a payload is specified
that tries to execute a command that performs this lookup (e. g.
S1_nslookup.txt).
The latter behavior, suggests that command injection is also possible
here. However, in LSI's internal quality assurance it was not possible
to prove the execution of other commands (e.g. whoami), since their
result was not included in the server response.
I would exclude command injection since CVE-2020-76613
(https://www.opencve.io/cve/CVE-2020-7613).
But I'm not getting anywhere with the DNS lookup issue. Is there a
configuration setting I'm overlooking? Or is there a way to disable this
behavior?
Many thanks from the mebis team
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
