Script `clamav-exec`

Script types: portrule
Categories: exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/clamav-exec.nse

Script Summary

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

ClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).

This script without arguments test the availability of the command 'SCAN'.

Reference:

Script Arguments

clamav-exec.scandb: Database to file list.
clamav-exec.cmd: Command to execute. Option: scan and shutdown
vulns.short, vulns.showall: See the documentation for the vulns library.

Example Usage

nmap -sV --script clamav-exec <target>
nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
nmap --script clamav-exec --script-args cmd='shutdown' <target>

Script Output

PORT     STATE SERVICE VERSION
3310/tcp open  clam    ClamAV 0.99.2 (21714)
| clamav-exec:
|   VULNERABLE:
|   ClamAV Remote Command Execution
|     State: VULNERABLE
|       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
|       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
|       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
|       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
|     Disclosure date: 2016-06-8
|     Extra information:
|       SCAN command is enabled.
|     References:
|       https://bugzilla.clamav.net/show_bug.cgi?id=11585
|_      https://twitter.com/nitr0usmx/status/740673507684679680

Requires

Author:

Paulino Calderon <calderon()websec.mx>