On Jan 3, 2008 6:08 PM, Mark <[EMAIL PROTECTED]> wrote:
>
> a): Clamav were to run as root (and consequently run
> ..progname.day-of-month as root too), which is plain stupid.
There's lots of stupid people out there ;)
> Also, where does the idea come from that a symlink will magically bring
> the attacker root access? If .progname.day-of-month were a symlink, then
> please, anyone, show me to what sort of file this symlink could point to
> that would suddenly allow the attacker to gain root-access?
It's not magic, but it's possible. Plenty of effective attacks, in
the real world, have used this approach as part of a chain that
results in gaining root access.
> Also, on FreeBSD, we set /tmp +t, which means items in /tmp can be renamed
> or deleted only by the item's owner.
I think that's been standard on all unix type systems for a long time now.
> In short, I fail to see what the fuss is all about. O_EXCL should have
> been there, but it's a minor bug -- especially since the TS initially
> failed to realize there was randomness, after all (though it could be
> improved upon). I see no realistic possibilities for exploits. But I'm of
> course open to hearing how someone thinks a realistic attack could be
> mounted with it.
A minor vulnerability here, a minor vulnerability there and pretty
soon you're talking something bigger ;) As David said, attackers are
creative - they're also often very persistent and highly skilled. At
the end of the day there would be real money behind an exploit that
could give any form of remote access to a host running ClamAV.
--
Please keep list traffic on the list.
Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
