J-Security Center

Title: ClamAV Popen Function Remote Code Execution Vulnerability

Severity: CRITICAL

Description:

ClamAV is an antivirus application available for UNIX and UNIX-like operating systems.

ClamAV is prone to a remote code-execution vulnerability because it fails to sufficiently sanitize user-supplied input. This issue occurs in the 'clamav-milter' when using sendmail. Specifically, the application fails to sanitize the recipient field before passing the data to the 'popen()' function.

An attacker could exploit this issue by injecting arbitrary shell commands through the vulnerable field.

Note that 'black hole' mode must be activated.

Successfully exploiting this issue will allow the attacker to execute arbitrary code with superuser privileges, resulting in the complete compromise of affected computers.

Versions prior to ClamAV 0.91.2 are vulnerable.

Affected Products:

  • Apple Mac OS X Server 10.5
  • Apple Mac OS X Server 10.5.1
  • Apple Mac OS X Server 10.5.2
  • Clam Anti-Virus ClamAV 0.51.0
  • Clam Anti-Virus ClamAV 0.52.0
  • Clam Anti-Virus ClamAV 0.53.0
  • Clam Anti-Virus ClamAV 0.54.0
  • Clam Anti-Virus ClamAV 0.60.0
  • Clam Anti-Virus ClamAV 0.65.0
  • Clam Anti-Virus ClamAV 0.67.0
  • Clam Anti-Virus ClamAV 0.68.0
  • Clam Anti-Virus ClamAV 0.68.0 -1
  • Clam Anti-Virus ClamAV 0.70.0
  • Clam Anti-Virus ClamAV 0.75.1
  • Clam Anti-Virus ClamAV 0.80.0
  • Clam Anti-Virus ClamAV 0.80.0 rc1
  • Clam Anti-Virus ClamAV 0.80.0 rc2
  • Clam Anti-Virus ClamAV 0.80.0 rc3
  • Clam Anti-Virus ClamAV 0.80.0 rc4
  • Clam Anti-Virus ClamAV 0.81.0
  • Clam Anti-Virus ClamAV 0.82.0
  • Clam Anti-Virus ClamAV 0.83.0
  • Clam Anti-Virus ClamAV 0.84.0
  • Clam Anti-Virus ClamAV 0.84.0 rc1
  • Clam Anti-Virus ClamAV 0.84.0 rc2
  • Clam Anti-Virus ClamAV 0.85.0
  • Clam Anti-Virus ClamAV 0.85.1
  • Clam Anti-Virus ClamAV 0.86.0
  • Clam Anti-Virus ClamAV 0.86.0 .1
  • Clam Anti-Virus ClamAV 0.86.2
  • Clam Anti-Virus ClamAV 0.87.0
  • Clam Anti-Virus ClamAV 0.87.0 -1
  • Clam Anti-Virus ClamAV 0.87.1
  • Clam Anti-Virus ClamAV 0.88.0
  • Clam Anti-Virus ClamAV 0.88.1
  • Clam Anti-Virus ClamAV 0.88.2
  • Clam Anti-Virus ClamAV 0.88.3
  • Clam Anti-Virus ClamAV 0.88.4
  • Clam Anti-Virus ClamAV 0.88.5
  • Clam Anti-Virus ClamAV 0.88.6
  • Clam Anti-Virus ClamAV 0.90.0
  • Clam Anti-Virus ClamAV 0.90.1
  • Clam Anti-Virus ClamAV 0.90.2
  • Clam Anti-Virus ClamAV 0.90.3
  • Clam Anti-Virus ClamAV 0.91
  • Clam Anti-Virus ClamAV 0.91.1
  • Debian Linux 3.1.0
  • Debian Linux 3.1.0 alpha
  • Debian Linux 3.1.0 arm
  • Debian Linux 3.1.0 hppa
  • Debian Linux 3.1.0 ia-32
  • Debian Linux 3.1.0 ia-64
  • Debian Linux 3.1.0 m68k
  • Debian Linux 3.1.0 mips
  • Debian Linux 3.1.0 mipsel
  • Debian Linux 3.1.0 ppc
  • Debian Linux 3.1.0 s/390
  • Debian Linux 3.1.0 sparc
  • Debian Linux 4.0
  • Debian Linux 4.0 alpha
  • Debian Linux 4.0 amd64
  • Debian Linux 4.0 arm
  • Debian Linux 4.0 hppa
  • Debian Linux 4.0 ia-32
  • Debian Linux 4.0 ia-64
  • Debian Linux 4.0 m68k
  • Debian Linux 4.0 mips
  • Debian Linux 4.0 mipsel
  • Debian Linux 4.0 powerpc
  • Debian Linux 4.0 s/390
  • Debian Linux 4.0 sparc
  • Gentoo Linux
  • Gentoo Linux 1.4.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • Linux kernel 2.4.19
  • Linux kernel 2.4.21
  • Linux kernel 2.6.5
  • MandrakeSoft Corporate Server 3.0.0
  • MandrakeSoft Corporate Server 3.0.0 x86_64
  • MandrakeSoft Corporate Server 4.0
  • MandrakeSoft Corporate Server 4.0.0 x86_64
  • MandrakeSoft Linux Mandrake 2007.0
  • MandrakeSoft Linux Mandrake 2007.0 x86_64
  • MandrakeSoft Linux Mandrake 2007.1
  • MandrakeSoft Linux Mandrake 2007.1 x86_64
  • RedHat Fedora Core7
  • S.u.S.E. Linux 10.0 ppc
  • S.u.S.E. Linux 10.0 x86
  • S.u.S.E. Linux 10.0 x86-64
  • S.u.S.E. Linux 10.1 ppc
  • S.u.S.E. Linux 10.1 x86
  • S.u.S.E. Linux 10.1 x86-64
  • S.u.S.E. Linux Desktop 1.0.0
  • S.u.S.E. Linux Desktop 10
  • S.u.S.E. Linux Enterprise SDK 10
  • S.u.S.E. Linux Enterprise Server 10
  • S.u.S.E. Linux Enterprise Server 10.SP1
  • S.u.S.E. Linux Enterprise Server 8
  • S.u.S.E. Linux Enterprise Server 9
  • S.u.S.E. Linux Enterprise Server 9-SP3
  • S.u.S.E. Linux Enterprise Server for S/390
  • S.u.S.E. Linux Enterprise Server for S/390 9.0.0
  • S.u.S.E. Linux Office Server
  • S.u.S.E. Linux Openexchange Server
  • S.u.S.E. Linux Personal 10.0.0 OSS
  • S.u.S.E. Linux Personal 10.1
  • S.u.S.E. Linux Personal 10.2
  • S.u.S.E. Linux Personal 10.2 x86_64
  • S.u.S.E. Linux Professional 10.0.0
  • S.u.S.E. Linux Professional 10.0.0 OSS
  • S.u.S.E. Linux Professional 10.1
  • S.u.S.E. Linux Professional 10.2
  • S.u.S.E. Linux Professional 10.2 x86_64
  • S.u.S.E. Novell Linux Desktop 9
  • S.u.S.E. Novell Linux POS 9
  • S.u.S.E. SLE SDK 10.SP1
  • S.u.S.E. SUSE LINUX Retail Solution 8.0.0
  • S.u.S.E. SUSE Linux Enterprise Desktop 10
  • S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
  • S.u.S.E. SUSE Linux Enterprise Server 10
  • S.u.S.E. SUSE Linux Enterprise Server 10 SP1
  • S.u.S.E. SUSE Linux Enterprise Server 9 SP3
  • S.u.S.E. SuSE Linux Openexchange Server 4.0.0
  • S.u.S.E. SuSE Linux School Server for i386
  • S.u.S.E. SuSE Linux Standard Server 8.0.0
  • S.u.S.E. UnitedLinux 1.0.0
  • S.u.S.E. openSUSE 10.2
  • Trustix Operating System Enterprise Server 2.0
  • Trustix Secure Linux 2.2.0
  • Trustix Secure Linux 3.0.0
  • Trustix Secure Linux 3.0.5

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.