On 08/31/2018 05:00 AM, Henrik Hoeg Thomsen1 wrote: > wget -q -m -nd -P /tmp --retry-connrefused http://db.local.clamav.net
This is probably exploitable by anyone on the system to gain root. If I create the file /tmp/daily.cvd (remember that /tmp is world-writable), $ touch -d '2018-01-01 00:00:00' /tmp/daily.cvd Then your update job will write to my file: $ sudo wget -q -m -nd -P /tmp http://db.local.clamav.net:/daily.cvd ... Thanks to the "-m" flag, I still own that file, and I can write whatever bad stuff I want in there after you verify its contents: $ ls -lh /tmp/daily.cvd -rw-r--r-- 1 mjo mjo 48M 2018-08-31 00:46 /tmp/daily.cvd There are various reports floating around showing how clamav is not robust against malicious signatures (potentially leading to root access); but regardless it's a pretty bad thing that anyone on the machine can overwrite all of your signatures with malicious ones. To fix it: if you're going to use a file under /tmp, then use a secure function like mktemp() to obtain it. But if you're running this job as a specific user, you might as well give him a special place to work like /var/tmp/clamav-updates that is accessible only to that user. The problem is unique to /tmp because of it's world-writable permissions. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
