[clamav-users] DNS request if an external server is specified in the file name

[G.W. Haywood]

Hi there,

On Thu, 10 Mar 2022, di82wal wrote:

> we had a penetration test of our application (moodle) a few weeks ago and in 
> the background we use CLAM-AV as antivirus.
>
> During this test the following behavior was observed with Clam-AV:
> If an external server is specified as part of the filename when uploading a 
> file that is objected to by the virus scanner, a corresponding DNS request is 
> sent to it (e. g. S1_hostname.txt). The same happens if instead of the bare 
> server name a payload is specified that tries to execute a command that 
> performs this lookup (e. g. S1_nslookup.txt).
> The latter behavior, suggests that command injection is also possible here. 
> However, in LSI's internal quality assurance it was not possible to prove the 
> execution of other commands (e.g. whoami), since their result was not 
> included in the server response.
>
> I would exclude command injection since CVE-2020-76613 
> (https://www.opencve.io/cve/CVE-2020-7613).
>
> But I'm not getting anywhere with the DNS lookup issue. Is there a 
> configuration setting I'm overlooking? Or is there a way to disable this 
> behavior?

Your report is very light on detail.

Please provide

1) The exact version(s) of ClamAV which you are using.
2) Build and installation details.
3) The output of 'clamconf -n'.
4) The exact version(s) of the operating system(s) which you are using.
5) *Precise* instructions to enable replication of the issues.

Using versions 0.104.x and either 'clamscan' or 'clamdscan', and a
test file which contains the name of a local machine, and running
'tcpdump' on that machine to look for DNS packets from the ClamAV
server, I have not yet managed to confirm the alleged DNS behaviour.

-- 

73,
Ged.