Re: [NSE] Unauthenticated ClamAV Command Exec

[Paulino Calderon <paulino () calderonpale com>]

Hey,

Here is an updated version of the script (Only updated a couple of issues with code quality). I forgot to clarify that 
this is not remote OS command injection but clamav commands. 
The script supports the commands “SCAN” and “shutdown” now. By default, the script uses the SCAN command against a non 
existing file to check for the vulnerability. But you can pass a list of filenames to test with the command SCAN (Check 
screenshot in parent post). I didn’t want to bloat nselib/data with a new database for common UNIX files because it 
would be only used in this script so for now you need to pass your own list.

Another important thing I left out before is that there is no patch for this yet. This was tested on 0.99.2 but many 
other previous versions could be vulnerable, hence the script.

Cheers,

description = [[
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. 

ClamAV server 0.99.2, and possibly other previous versions, allow the execution 
of dangerous service commands without authentication. Specifically, the command 'SCAN' 
may be used to list system files and the command 'SHUTDOWN' shut downs the 
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).

This script without arguments test the availability of the command 'SCAN'. 

Reference:
* https://twitter.com/nitr0usmx/status/740673507684679680
* https://bugzilla.clamav.net/show_bug.cgi?id=11585
]]

---
-- @usage 
-- nmap -sV --script clamav-exec <target>
-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
-- nmap --script clamav-exec --script-args cmd='shutdown' <target>
-- 
-- @output
-- PORT     STATE SERVICE VERSION
-- 3310/tcp open  clam    ClamAV 0.99.2 (21714)
-- | clamav-exec: 
-- |   VULNERABLE:
-- |   ClamAV Remote Command Execution
-- |     State: VULNERABLE
-- |       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
-- |       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
-- |       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
-- |       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
-- |       
-- |     Disclosure date: 2016-06-8
-- |     Extra information:
-- |       SCAN command is enabled.
-- |     References:
-- |       https://bugzilla.clamav.net/show_bug.cgi?id=11585
-- |_      https://twitter.com/nitr0usmx/status/740673507684679680

Attachment: clamav-exec.nse
Description:

> On Jun 12, 2016, at 1:20 PM, Paulino Calderon <paulino () calderonpale com> wrote:
>
> Hey list,
>
> A friend found something interesting in the latest version of ClamAV.
>
> Cheers.
> <clamav-exec.nse><clamav-service-probe><shutdown.png><list.png>

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/