[clamav-users] secure download of .cvd files ?
Michael Orlitzky
michael at orlitzky.com
Fri Aug 31 12:37:00 UTC 2018
On 08/31/2018 05:00 AM, Henrik Hoeg Thomsen1 wrote:
> wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net
This is probably exploitable by anyone on the system to gain root. If I
create the file /tmp/daily.cvd (remember that /tmp is world-writable),
$ touch -d '2018-01-01 00:00:00' /tmp/daily.cvd
Then your update job will write to my file:
$ sudo wget -q -m -nd -P /tmp http://db.local.clamav.net:/daily.cvd
...
Thanks to the "-m" flag, I still own that file, and I can write whatever
bad stuff I want in there after you verify its contents:
$ ls -lh /tmp/daily.cvd
-rw-r--r-- 1 mjo mjo 48M 2018-08-31 00:46 /tmp/daily.cvd
There are various reports floating around showing how clamav is not
robust against malicious signatures (potentially leading to root
access); but regardless it's a pretty bad thing that anyone on the
machine can overwrite all of your signatures with malicious ones.
To fix it: if you're going to use a file under /tmp, then use a secure
function like mktemp() to obtain it. But if you're running this job as a
specific user, you might as well give him a special place to work like
/var/tmp/clamav-updates that is accessible only to that user. The
problem is unique to /tmp because of it's world-writable permissions.
More information about the clamav-users
mailing list