Hi there,
On Thu, 10 Mar 2022, di82wal wrote:
we had a penetration test of our application (moodle) a few weeks ago and in
the background we use CLAM-AV as antivirus.
During this test the following behavior was observed with Clam-AV:
If an external server is specified as part of the filename when uploading a
file that is objected to by the virus scanner, a corresponding DNS request is
sent to it (e. g. S1_hostname.txt). The same happens if instead of the bare
server name a payload is specified that tries to execute a command that
performs this lookup (e. g. S1_nslookup.txt).
The latter behavior, suggests that command injection is also possible here.
However, in LSI's internal quality assurance it was not possible to prove the
execution of other commands (e.g. whoami), since their result was not
included in the server response.
I would exclude command injection since CVE-2020-76613
(https://www.opencve.io/cve/CVE-2020-7613).
But I'm not getting anywhere with the DNS lookup issue. Is there a
configuration setting I'm overlooking? Or is there a way to disable this
behavior?
Your report is very light on detail.
Please provide
1) The exact version(s) of ClamAV which you are using.
2) Build and installation details.
3) The output of 'clamconf -n'.
4) The exact version(s) of the operating system(s) which you are using.
5) *Precise* instructions to enable replication of the issues.
Using versions 0.104.x and either 'clamscan' or 'clamdscan', and a
test file which contains the name of a local machine, and running
'tcpdump' on that machine to look for DNS packets from the ClamAV
server, I have not yet managed to confirm the alleged DNS behaviour.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
