[clamav-users] DNS request if an external server is specified in the file name
di82wal
mebis-lernplattform at isb.bayern.de
Thu Mar 10 08:03:05 UTC 2022
Hello together,
we had a penetration test of our application (moodle) a few weeks ago
and in the background we use CLAM-AV as antivirus.
During this test the following behavior was observed with Clam-AV:
If an external server is specified as part of the filename when
uploading a file that is objected to by the virus scanner, a
corresponding DNS request is sent to it (e. g. S1_hostname.txt). The
same happens if instead of the bare server name a payload is specified
that tries to execute a command that performs this lookup (e. g.
S1_nslookup.txt).
The latter behavior, suggests that command injection is also possible
here. However, in LSI's internal quality assurance it was not possible
to prove the execution of other commands (e.g. whoami), since their
result was not included in the server response.
I would exclude command injection since CVE-2020-76613
(https://www.opencve.io/cve/CVE-2020-7613).
But I'm not getting anywhere with the DNS lookup issue. Is there a
configuration setting I'm overlooking? Or is there a way to disable this
behavior?
Many thanks from the mebis team
More information about the clamav-users
mailing list