View
125
Download
0
Category
Preview:
DESCRIPTION
Security BSides Delaware BSidesDE 2013 Track 1 November 9th 2013 13:00
Citation preview
Baking even more Clam(AV)s for Fun &
Profit.ClamAV in a network accessible configuration
provides not only remote virus scanning, but also the potential for DOS, etc.
ClamAV-what it is.
Open Source SoftwareProvides Virus ScanningCurrently owned by Sourcefire Cisco Systems
ClamAV-Component Overview What it does.
clamscancmd line scanner Stand alone
freshclamSignature DB update tool
clamdScanning Server
Scanning clientsclamdscan
cmd line scannerclamav-milter
email scanning plugin
The Design ProblemsIn Theory
ConfigurationClamd can bind to an IP address
No Access ControlsNo AuthenticationNo connection loggingMalformed DB Handling
The Implementation ProblemsIn Practice
Availability of Administrative Commands.VERSION
Recon & Information disclosureRELOAD
Default Virus DB size is about 74 MBContinuous reloads result in High CPU utilization.
SHUTDOWNGuess what that does?:-)A DOS of a networked ClamAV installation.
Discussed on ClamAV-user mailing list July 22-23 2011
Bug 2727Use in Post Exploitation
clamconf|grep "DatabaseDirectory"DatabaseDirectory = "/usr/local/share/clamav"DatabaseDirectory = "/usr/local/share/clamav"cd /usr/local/share/clamavls -lh *.cvd-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd-rw-r--r-- 1 clamav clamav 12M Nov 4 18:27 daily.cvd-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvdecho -n "" > daily.cvdls -lh *.cvd-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd-rw-r--r-- 1 clamav clamav 0 Nov 4 18:41 daily.cvd-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd
Bug 2727Use in Post Exploitation - Cont.d
Nov 4 18:43:50 host clamd[24481]: Reading databases from /usr/local/share/clamavNov 4 18:43:50 host clamd[24481]: reload db failed: Broken or not a CVD fileNov 4 18:43:50 host clamd[24481]: Terminating because of a fatal error.Nov 4 18:43:50 host clamd[24481]: Waiting for all threads to finishNov 4 18:43:50 host clamd[24481]: Shutting down the main sockets.Nov 4 18:43:50 host clamd[24481]: Pid file removed.Nov 4 18:43:50 host clamd[24481]: --- Stopped at Mon Nov 4 18:43:50 2013Nov 4 18:43:50 host clamd[24481]: Closing the main sockets.Nov 4 18:43:50 host clamd[24481]: Socket file removed.
Operational Impact
clamdscan -m /ERROR: Can't connect to clamd: No such file or directory
----------- SCAN SUMMARY -----------Infected files: 0Total errors: 1Time: 0.000 sec (0 m 0 s)
The Defense
ConfigurationBind to a LOCAL SocketBind to loopback interface
Access Controls - FIREWALLFIX THE BUGS! - Just Saying... :-)Monitoring
Tools - Shameless PlugsClambake
Clambake 0.2Enumeration"Stress" testingNetworked ClamAV DOS capabilities.
Tools - Continued braggingCCEE
CCEE 0.97.4Initially a patch for bug 1754Adds connection logging to clamd for administrative commandsAdds other functionallity to ClamAVWoefully Outdated
I am NOT a real c coder.I DO have other things to do. :-)
Tools - ContinuedIs he done yet? -- Almost. :-)
clamd.monitorMonitor plugin for the mon frameworkCan be used as a stand alone solution
Get them all and more at http://www.cmpublishers.com/oss
Contact Info
Email: nathan@cmpublishers.comTwitter: @Christ_MediaLinkedin: http://www.linkedin.com/in/nategibbsSlideshare: http://www.slideshare.net/NathanGibbs3
Thanks
Jesus ChristBSides DECLAMAV Dev Team, Sourcefire, & CiscoFolks on Clamav-users ML
Recommended