Mark wrote:
> Well, if the admin had clamav's ~/.bashrc world-writeable, then that would
> indeed be quite an oversight. :)
Someone can correct me if I'm wrong, but I believe the idea here would
be to trick *clamav itself* into writing to its ~/.bashrc by setting up
a symbolic link in a predicta
On Jan 3, 2008 6:08 PM, Mark <[EMAIL PROTECTED]> wrote:
>
> a): Clamav were to run as root (and consequently run
> ..progname.day-of-month as root too), which is plain stupid.
There's lots of stupid people out there ;)
> Also, where does the idea come from that a symlink will magically bring
> th
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll
Sent: donderdag 3 januari 2008 19:28
To: ClamAV users ML
Subject: Re: [Clamav-users] Clam bugs/vulns (was Re: Tomasz, you're an id
iot, and you don't even know it)
> Mark wrote:
> > 2): Why is
On Thu, 03 Jan 2008 06:21:37 -0800 Dennis Peterson <[EMAIL PROTECTED]> wrote:
> Phil Chambers wrote:
>
> >
> > Given that ClamAV reports finding "Email.Spam.Sanesecurity.Url_269", for
> > example, how do I look up the signature that clamd is using for that?
> >
>
> Grep that string from the
Mark wrote:
> 2): Why is it believed that such a trick will automagically allow an
> attacker to execute a self-made program with elevated privileges, like
> root?
It's commonly assumed that most UNIX systems have locally-exploitable bugs
that permit local users to gain root access. While this i
FM wrote:
> Tx for the reply but in my case it is not that easy.
>
> I am using courier-mta and courier-pythonfilter to connect the mta and
> clamav
> This filter is using libclamav directly
>
> and in clamd.conf I have :
>
> PhishingScanURLs no
> PhishingSignatures no
>
>
> but still have vir
> Well, yes and no. Let's take the following case:
> 1) You're using software which creates then executes a temporary file
> as .progname.day-of-month
> 2) The attacker knows this and has a remote attack to populate this
> file in /tmp to give themselves root access
> 3) You've globally defined T
Phil Chambers wrote:
> On Wed, 02 Jan 2008 18:04:54 -0600 Noel Jones <[EMAIL PROTECTED]> wrote:
>
>> Phil Chambers wrote:
>>> I have a strange situation which I can't explain.
>>>
>>> I have an Internet-facing front-end server using exim with ClamAV. I also
>>> have
>>> the Sanesecurity signatu
On Sun, Dec 30, 2007 at 09:49:11PM -0600, Chris wrote:
> http://seclists.org/fulldisclosure/2007/Dec/0625.html
>
> Or is this a rehash of something already known about?
The weak random number generator part, and the possibility of
a race in the cli_gentemp() function has been known since almost
t
Rob MacGregor wrote:
> On Jan 3, 2008 4:09 PM, Dennis Peterson <[EMAIL PROTECTED]> wrote:
>> The success of this requires a bit of serendipity as well. If for reasons of
>> convenience the new TMPDIR is globally writeable then nothing has been
>> accomplished
>> which is why a global TMPDIR declar
0. The tone of the original posting, especially the subject line,
is quite unprofessional.
1. The race condition seems easy enough to fix by using O_EXCL. But
then it should retry with a new generated file name a bunch of times,
rather than simply giving up. (Giving up is especially bad for clamd
Tx for the reply but in my case it is not that easy.
I am using courier-mta and courier-pythonfilter to connect the mta and
clamav
This filter is using libclamav directly
and in clamd.conf I have :
PhishingScanURLs no
PhishingSignatures no
but still have virus alert in the maillog
Regards,
On Jan 3, 2008 4:09 PM, Dennis Peterson <[EMAIL PROTECTED]> wrote:
> The success of this requires a bit of serendipity as well. If for reasons of
> convenience the new TMPDIR is globally writeable then nothing has been
> accomplished
> which is why a global TMPDIR declaration is pointless.
Well,
Dennis Peterson wrote:
> David F. Skoll wrote:
> > Bowie Bailey wrote:
> >
> > > Then this may be something that could use some explanation.
> >
> > > Exactly what temp dir setting are you referring to and why should
> > > it be changed?
> >
> > Many (but not all) UNIX programs respect an enviro
FM wrote:
> hello,
> I have lots of false positive with clamav phishing detection.
> What is the correct way to remove these rules using sigtool?
From a recent post:
> You can disable the heuristics-based phish checks without
> disabling the signature-based checks. Both the official
> clama
hello,
I have lots of false positive with clamav phishing detection.
What is the correct way to remove these rules using sigtool?
Regards
___
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-us
Rob MacGregor wrote:
> On Jan 3, 2008 3:09 PM, Bowie Bailey <[EMAIL PROTECTED]> wrote:
>> Then this may be something that could use some explanation.
>>
>> Exactly what temp dir setting are you referring to and why should it be
>> changed?
>
> If the environment variable TMPDIR is defined then wel
On Jan 3, 2008 3:09 PM, Bowie Bailey <[EMAIL PROTECTED]> wrote:
> Then this may be something that could use some explanation.
>
> Exactly what temp dir setting are you referring to and why should it be
> changed?
If the environment variable TMPDIR is defined then well behaved
programs will use tha
David F. Skoll wrote:
> Bowie Bailey wrote:
>
>> Then this may be something that could use some explanation.
>
>> Exactly what temp dir setting are you referring to and why should it be
>> changed?
>
> Many (but not all) UNIX programs respect an environment variable
> called TMPDIR that specifie
Bowie Bailey wrote:
> Then this may be something that could use some explanation.
> Exactly what temp dir setting are you referring to and why should it be
> changed?
Many (but not all) UNIX programs respect an environment variable
called TMPDIR that specifies a directory in which to place tempo
Dennis Peterson wrote:
> David F. Skoll wrote:
> > Dennis Peterson wrote:
> > > > > Does any admin actually run this stuff without setting the
> > > > > temp directory ahead of time?
> > > > I bet the vast majority do.
> >
> > > I don't include Linux babies in that...
> >
> > :-)
> >
> > I bet t
On Mon, 24 Dec 2007 17:59:38 +0100
"Nicolas Croiset (Campus Grenoble 90,8)" <[EMAIL PROTECTED]> wrote:
> Hello,
>
> after a few hours / days the files main.cvd and daily.inc are
> replaced by a directory where you have files inside.
>
> When the file main.cvd is replaced by a directory I obtain
Phil Chambers wrote:
>
> I was not aware that there was any way to get clamd to do anything other than
> check the content of messages. The Sanesecurity signatures are just a set of
> phishing and scam signatures for ClamAV which are used in addition to the
> standard ClamAV ones.
>
> Given
On Thu, 03 Jan 2008 11:54:01 + Stuart Auchterlonie
<[EMAIL PROTECTED]> wrote:
>
>
> Phil Chambers wrote:
> > I have a strange situation which I can't explain.
> >
> > I have an Internet-facing front-end server using exim with ClamAV. I also
> > have
> > the Sanesecurity signatures inst
On Wed, 02 Jan 2008 18:04:54 -0600 Noel Jones <[EMAIL PROTECTED]> wrote:
> Phil Chambers wrote:
> > I have a strange situation which I can't explain.
> >
> > I have an Internet-facing front-end server using exim with ClamAV. I also
> > have
> > the Sanesecurity signatures installed. Delivery
David F. Skoll wrote:
> Hi,
>
> I notice that Clam 0.92 has dropped support for Sensory Networks'
> hardware scanner, yet this is not mentioned in the release notes.
> Is there a reason for omitting this from the release notes?
Hi David,
The answer to your question is, i think, forgetfulness.
Sor
Phil Chambers wrote:
> I have a strange situation which I can't explain.
>
> I have an Internet-facing front-end server using exim with ClamAV. I also
> have
> the Sanesecurity signatures installed. Delivery is achieved by relaying to an
> Exchange server which is behind the firewall.
>
> S
On Thu, 3 Jan 2008 11:11:45 +0100
"Roflek of TK53" <[EMAIL PROTECTED]> wrote:
[snip]
> Since you are German, you obviously have no idea about irony.
IMHO, this thread has proceed to the point when Godwin's law is going
to be implemented. Perhaps, it might best be put to rest. The parties
involve
> [...]
> Yes, I'm evil, I'm mean, I need ego boosts by posting on FD. You
> totally caught me.
>
> [...]
>
> Regards,
> Rofl as in Lek
>
Can someone block this trol from posting to this list.
I add via Spamassassin some extra points to mails from an GMAIL.COM address,
that should be the stand
Happy New Year!
Please resist any temptation to feed any trolls in what ever guise they appear.
You must
read what they say because in amongst the crossfire may be a genuine point that
has been
poorly expressed, but please do not raise to the bait (and yes before anyone
says, I know
that I hav
On Jan 3, 2008 3:14 AM, Christoph Cordes <[EMAIL PROTECTED]> wrote:
> Don't try to bend my words in a way you can make use of them. I did
> not say you're evil or mean. All i said is that your ego gets pushed
> by seeing your nick on the FD list. That's not even selfish and for
> sure not evil or m
31 matches
Mail list logo
