Script clamav-exec

Script types: portrule
Categories: exploit, vuln
Download: https://svn.nmap.org/nmap/scripts/clamav-exec.nse

Script Summary

Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

ClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).

This script without arguments test the availability of the command 'SCAN'.

Reference:

Script Arguments

clamav-exec.scandb

Database to file list.

clamav-exec.cmd

Command to execute. Option: scan and shutdown

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -sV --script clamav-exec <target>
nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
nmap --script clamav-exec --script-args cmd='shutdown' <target>

Script Output

PORT     STATE SERVICE VERSION
3310/tcp open  clam    ClamAV 0.99.2 (21714)
| clamav-exec:
|   VULNERABLE:
|   ClamAV Remote Command Execution
|     State: VULNERABLE
|       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
|       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
|       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
|       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
|     Disclosure date: 2016-06-8
|     Extra information:
|       SCAN command is enabled.
|     References:
|       https://bugzilla.clamav.net/show_bug.cgi?id=11585
|_      https://twitter.com/nitr0usmx/status/740673507684679680

Requires


Author:

  • Paulino Calderon <calderon()websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html