Mailing List Archive

[clamav-users] DNS request if an external server is specified in the file name
Hello together,

we had a penetration test of our application (moodle) a few weeks ago
and in the background we use CLAM-AV as antivirus.

During this test the following behavior was observed with Clam-AV:
If an external server is specified as part of the filename when
uploading a file that is objected to by the virus scanner, a
corresponding DNS request is sent to it (e. g. S1_hostname.txt). The
same happens if instead of the bare server name a payload is specified
that tries to execute a command that performs this lookup (e. g.
S1_nslookup.txt).
The latter behavior, suggests that command injection is also possible
here. However, in LSI's internal quality assurance it was not possible
to prove the execution of other commands (e.g. whoami), since their
result was not included in the server response.

I would exclude command injection since CVE-2020-76613
(https://www.opencve.io/cve/CVE-2020-7613).

But I'm not getting anywhere with the DNS lookup issue. Is there a
configuration setting I'm overlooking? Or is there a way to disable this
behavior?

Many thanks from the mebis team

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] DNS request if an external server is specified in the file name [ In reply to ]
Hi there,

On Thu, 10 Mar 2022, di82wal wrote:

> we had a penetration test of our application (moodle) a few weeks ago and in
> the background we use CLAM-AV as antivirus.
>
> During this test the following behavior was observed with Clam-AV:
> If an external server is specified as part of the filename when uploading a
> file that is objected to by the virus scanner, a corresponding DNS request is
> sent to it (e. g. S1_hostname.txt). The same happens if instead of the bare
> server name a payload is specified that tries to execute a command that
> performs this lookup (e. g. S1_nslookup.txt).
> The latter behavior, suggests that command injection is also possible here.
> However, in LSI's internal quality assurance it was not possible to prove the
> execution of other commands (e.g. whoami), since their result was not
> included in the server response.
>
> I would exclude command injection since CVE-2020-76613
> (https://www.opencve.io/cve/CVE-2020-7613).
>
> But I'm not getting anywhere with the DNS lookup issue. Is there a
> configuration setting I'm overlooking? Or is there a way to disable this
> behavior?

Your report is very light on detail.

Please provide

1) The exact version(s) of ClamAV which you are using.
2) Build and installation details.
3) The output of 'clamconf -n'.
4) The exact version(s) of the operating system(s) which you are using.
5) *Precise* instructions to enable replication of the issues.

Using versions 0.104.x and either 'clamscan' or 'clamdscan', and a
test file which contains the name of a local machine, and running
'tcpdump' on that machine to look for DNS packets from the ClamAV
server, I have not yet managed to confirm the alleged DNS behaviour.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml