The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ClamAV: command execution in black-hole-mode

Synthesis of the vulnerability 

When clamav-milter is configured in black-hole-mode, an attacker can use a malicious address in order to execute a command.
Vulnerable products: ClamAV, Debian, Mandriva Linux, openSUSE, SLES.
Severity of this weakness: 3/4.
Creation date: 27/08/2007.
Revision date: 27/12/2007.
Références of this bulletin: BID-25439, CERTA-2002-AVI-162, CVE-2007-4560, DSA-1366-1, MDKSA-2007:172, n.runs-SA-2007.025, SUSE-SR:2007:018, VIGILANCE-VUL-7122.

Description of the vulnerability 

The clamav-milter program is used as a link between ClamAV daemon and Sendmail.

The "--black-hole-mode" option of clamav-milter permits to check if destination email address is valid (if it is not redirected to /dev/null). This options calls sendmail in verify mode:
  sendmail -bv "destination@domain"
This command is run with root privileges via a popen() call:
  popen("$SENDMAIL_BIN -bv \"destination@domain\" < /dev/null 2>&1");

However, special characters contained in the destination email address are not filtered before calling popen() to run the shell command. An attacker can for example use following address:
  `command`@domain
in order to execute the command between backticks characters:
  $SENDMAIL_BIN -bv "`command`@domain" < /dev/null 2>&1

This vulnerability therefore permits an attacker to execute shell commands with root privileges.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as ClamAV, Debian, Mandriva Linux, openSUSE, SLES.

Our Vigil@nce team determined that the severity of this weakness announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this computer weakness bulletin.

Solutions for this threat 

ClamAV: version 0.91.2.
Version 0.91.2 is corrected:
  http://www.clamav.net/download/

Debian: new clamav packages.
New packages are available:
  AMD64 architecture:
    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 856522 cae033c2c4d2245ed0c3742982f9bb67
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 178452 cf29bd7447cfc3163974b60cc29955a1
    http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 638384 11df3244f048ed156ef97d99ddf13ee2
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 9301956 ee98e922039c3ae2e58e00fa46f3682f
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 177470 a2fc25aecce75dfd7b506bfd852110cd
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 386568 6a1f79b33c45bbf7f63361c5bc3e5301
    http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch7_amd64.deb
      Size/MD5 checksum: 367274 a313b9e7a274000923f2a4c508ce630d
  Intel IA-32 architecture:
    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 853954 9cb2105c0b125d06b6cd55c3afc034df
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 174810 26e058c602e245cdd93b617a6433f3eb
    http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 604246 9229e00e4fd2f479c4991579527dda05
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 9300180 2ea193af166b258bafc507ee39fe5ed5
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 175306 a9249b84ddf8381fddaefdad2d838a7e
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 367860 d88bcc54abe004b0cac9dace8b1a97cb
    http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch7_i386.deb
      Size/MD5 checksum: 365930 25dfe3b0f5db7fd318f508f981447c5b
  Intel IA-64 architecture:
    http://security.debian.org/pool/updates/main/c/clamav/clamav_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 878502 6819ecbe6de1e78d7a794bd57be5242c
    http://security.debian.org/pool/updates/main/c/clamav/clamav-daemon_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 201696 b6aad73bb42bc06ebe2c7e7cf6638e8e
    http://security.debian.org/pool/updates/main/c/clamav/clamav-dbg_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 657016 a8700ddde5a27b6e5543c26b94ebaccb
    http://security.debian.org/pool/updates/main/c/clamav/clamav-freshclam_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 9315332 5e70f38d3e2c545c2a3a0e886a9d31bf
    http://security.debian.org/pool/updates/main/c/clamav/clamav-milter_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 191962 096679339d39f00c721efb8b443a4eaa
    http://security.debian.org/pool/updates/main/c/clamav/libclamav-dev_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 521666 d782256097bd91daac7c281bc5b9c04a
    http://security.debian.org/pool/updates/main/c/clamav/libclamav2_0.90.1-3etch7_ia64.deb
      Size/MD5 checksum: 475118 9672c4a0370689ab46e98bbe4b5abdae

Mandriva: new clamav packages.
New packages are available:
 
 Mandriva Linux 2007.0:
 9cc355cd4581c9e15aed5c059263f201 2007.0/i586/clamav-0.91.2-1.1mdv2007.0.i586.rpm
 cfcf00e1e77e0945c61fe88f9a47b6be 2007.0/i586/clamav-db-0.91.2-1.1mdv2007.0.i586.rpm
 c7a2df49aead6c11e6134ce35f2ff39c 2007.0/i586/clamav-milter-0.91.2-1.1mdv2007.0.i586.rpm
 f9ead23bd0d3b98b58687a02eafa3d18 2007.0/i586/clamd-0.91.2-1.1mdv2007.0.i586.rpm
 e39d94f73442dbb2e6bd0034bbc242df 2007.0/i586/clamdmon-0.91.2-1.1mdv2007.0.i586.rpm
 2c886e10cce4b366a2202c0374550d10 2007.0/i586/libclamav-devel-0.91.2-1.1mdv2007.0.i586.rpm
 4b1d3207bfc97d0e75d098e53d227fcf 2007.0/i586/libclamav2-0.91.2-1.1mdv2007.0.i586.rpm
 46173382db18fa6776e0c11239d34727 2007.0/SRPMS/clamav-0.91.2-1.1mdv2007.0.src.rpm
 Mandriva Linux 2007.0/X86_64:
 0004b985905afd8cd892d8565d2c6f84 2007.0/x86_64/clamav-0.91.2-1.1mdv2007.0.x86_64.rpm
 604ef50bbb41cba7a46998a872cceb5e 2007.0/x86_64/clamav-db-0.91.2-1.1mdv2007.0.x86_64.rpm
 f451326de1cda70b72f78e799702a714 2007.0/x86_64/clamav-milter-0.91.2-1.1mdv2007.0.x86_64.rpm
 d459c0ce7eb70fa26f473130b9e2aca3 2007.0/x86_64/clamd-0.91.2-1.1mdv2007.0.x86_64.rpm
 7e407178e6b31b27f28ea86a9a812b7e 2007.0/x86_64/clamdmon-0.91.2-1.1mdv2007.0.x86_64.rpm
 194efc9b8d8f454a6d40aa02311550ad 2007.0/x86_64/lib64clamav-devel-0.91.2-1.1mdv2007.0.x86_64.rpm
 7302c856810696ee9d2da5436a26a5f2 2007.0/x86_64/lib64clamav2-0.91.2-1.1mdv2007.0.x86_64.rpm
 46173382db18fa6776e0c11239d34727 2007.0/SRPMS/clamav-0.91.2-1.1mdv2007.0.src.rpm
 Mandriva Linux 2007.1:
 b314b45eda90a4fc914f980063b08f16 2007.1/i586/clamav-0.91.2-1.1mdv2007.1.i586.rpm
 8bbddc576a178213a167285e676f6367 2007.1/i586/clamav-db-0.91.2-1.1mdv2007.1.i586.rpm
 d5fc2163cf848f73a686299866bb8e12 2007.1/i586/clamav-milter-0.91.2-1.1mdv2007.1.i586.rpm
 0da0d4bdf458feb3a8f01e590603277d 2007.1/i586/clamd-0.91.2-1.1mdv2007.1.i586.rpm
 7048492d9a19e3e8805de3838e30efcd 2007.1/i586/clamdmon-0.91.2-1.1mdv2007.1.i586.rpm
 f1a6165d185c2bc8bacc1f6a3f6f0583 2007.1/i586/libclamav-devel-0.91.2-1.1mdv2007.1.i586.rpm
 82626c97b6c4d0ede2affb6dab4bbb20 2007.1/i586/libclamav2-0.91.2-1.1mdv2007.1.i586.rpm
 1aa3e75e6fd71c98a85671f7073eef53 2007.1/SRPMS/clamav-0.91.2-1.1mdv2007.1.src.rpm
 Mandriva Linux 2007.1/X86_64:
 ce936aaf4aac71db278525b626f7db71 2007.1/x86_64/clamav-0.91.2-1.1mdv2007.1.x86_64.rpm
 ab831b70524ef3e7e49ad2e421965d10 2007.1/x86_64/clamav-db-0.91.2-1.1mdv2007.1.x86_64.rpm
 053f0b5017f2107edc95e33d77827854 2007.1/x86_64/clamav-milter-0.91.2-1.1mdv2007.1.x86_64.rpm
 29d1c23377beda7601da3bf160620d75 2007.1/x86_64/clamd-0.91.2-1.1mdv2007.1.x86_64.rpm
 f917158048deac5163697c6dbb5882c9 2007.1/x86_64/clamdmon-0.91.2-1.1mdv2007.1.x86_64.rpm
 b0e2b52d8d538f29ffbcfe266a540b67 2007.1/x86_64/lib64clamav-devel-0.91.2-1.1mdv2007.1.x86_64.rpm
 5e3cd3617c0e719bc7af09781e0dfcb6 2007.1/x86_64/lib64clamav2-0.91.2-1.1mdv2007.1.x86_64.rpm
 1aa3e75e6fd71c98a85671f7073eef53 2007.1/SRPMS/clamav-0.91.2-1.1mdv2007.1.src.rpm
 Corporate 3.0:
 3f54f8a01c5926fe7b5285e1aa5bd8a0 corporate/3.0/i586/clamav-0.91.2-0.1.C30mdk.i586.rpm
 e4f84e94bb49ae6a30db55c0eb3e1f37 corporate/3.0/i586/clamav-db-0.91.2-0.1.C30mdk.i586.rpm
 62b32759d1ef5100c7a9d4df5662df4e corporate/3.0/i586/clamav-milter-0.91.2-0.1.C30mdk.i586.rpm
 da52811fa2422350fb10aa66b82e7345 corporate/3.0/i586/clamd-0.91.2-0.1.C30mdk.i586.rpm
 5b479b2416b7b2a3185a1ea1444e871d corporate/3.0/i586/clamdmon-0.91.2-0.1.C30mdk.i586.rpm
 9dac547edcaadc6d91e049dfcfd4c8ef corporate/3.0/i586/libclamav-devel-0.91.2-0.1.C30mdk.i586.rpm
 549d6c10620fb7440dbf28df5c8a21de corporate/3.0/i586/libclamav2-0.91.2-0.1.C30mdk.i586.rpm
 161aad73d855e835420c4e2cc4d37867 corporate/3.0/SRPMS/clamav-0.91.2-0.1.C30mdk.src.rpm
 Corporate 3.0/X86_64:
 8558b7b8084cd0b0c3d23c1289830947 corporate/3.0/x86_64/clamav-0.91.2-0.1.C30mdk.x86_64.rpm
 62376f79cde45931384e81f267205b54 corporate/3.0/x86_64/clamav-db-0.91.2-0.1.C30mdk.x86_64.rpm
 57d93dd2c249d800de1fa22324b4b688 corporate/3.0/x86_64/clamav-milter-0.91.2-0.1.C30mdk.x86_64.rpm
 5f7cc43fc89623177e3864194d86dd62 corporate/3.0/x86_64/clamd-0.91.2-0.1.C30mdk.x86_64.rpm
 dafb5a003f164d742bcfc2775b1a72ec corporate/3.0/x86_64/clamdmon-0.91.2-0.1.C30mdk.x86_64.rpm
 29c3fc98485a4912179438b66be722dc corporate/3.0/x86_64/lib64clamav-devel-0.91.2-0.1.C30mdk.x86_64.rpm
 4a49f8d6b1e652a58216d6f20f9d11e8 corporate/3.0/x86_64/lib64clamav2-0.91.2-0.1.C30mdk.x86_64.rpm
 161aad73d855e835420c4e2cc4d37867 corporate/3.0/SRPMS/clamav-0.91.2-0.1.C30mdk.src.rpm
 Corporate 4.0:
 77469fc267c49b8727e9c8d7dfbe1dbe corporate/4.0/i586/clamav-0.91.2-0.1.20060mlcs4.i586.rpm
 524a97ee0a548a61503a3d2805148adb corporate/4.0/i586/clamav-db-0.91.2-0.1.20060mlcs4.i586.rpm
 b30b5e2ecc63f527a270df87fb236235 corporate/4.0/i586/clamav-milter-0.91.2-0.1.20060mlcs4.i586.rpm
 6fdb3fb5e172ac5142cf668013e18f2a corporate/4.0/i586/clamd-0.91.2-0.1.20060mlcs4.i586.rpm
 63862acdb343759ad132eb7851de094f corporate/4.0/i586/clamdmon-0.91.2-0.1.20060mlcs4.i586.rpm
 d8410aeca30a43ef80dba02181eab604 corporate/4.0/i586/libclamav-devel-0.91.2-0.1.20060mlcs4.i586.rpm
 28c9e2d2058116c19230b46686f211af corporate/4.0/i586/libclamav2-0.91.2-0.1.20060mlcs4.i586.rpm
 e28ad7b384a7df0d3a457b9cab2e45a5 corporate/4.0/SRPMS/clamav-0.91.2-0.1.20060mlcs4.src.rpm
 Corporate 4.0/X86_64:
 23813b996a2fde23ffb7d34c50464576 corporate/4.0/x86_64/clamav-0.91.2-0.1.20060mlcs4.x86_64.rpm
 9de86112dede4437ec8de4792602c697 corporate/4.0/x86_64/clamav-db-0.91.2-0.1.20060mlcs4.x86_64.rpm
 d7c4ca09b53acf38161206b9b0288f50 corporate/4.0/x86_64/clamav-milter-0.91.2-0.1.20060mlcs4.x86_64.rpm
 cc043effd109ea56c076ade68e642007 corporate/4.0/x86_64/clamd-0.91.2-0.1.20060mlcs4.x86_64.rpm
 d84d812febc122043602a7cbef4025f7 corporate/4.0/x86_64/clamdmon-0.91.2-0.1.20060mlcs4.x86_64.rpm
 7d64c08753f48cd26932b0a047a841c6 corporate/4.0/x86_64/lib64clamav-devel-0.91.2-0.1.20060mlcs4.x86_64.rpm
 4c33eb78a714a00844e918c18179ce27 corporate/4.0/x86_64/lib64clamav2-0.91.2-0.1.20060mlcs4.x86_64.rpm
 e28ad7b384a7df0d3a457b9cab2e45a5 corporate/4.0/SRPMS/clamav-0.91.2-0.1.20060mlcs4.src.rpm

SUSE: new clamav, RealPlayer, pfstools, vim, tar, star, nfsidmap packages.
New packages are available via YaST or FTP.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides network vulnerability announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities.