No Click Required: PoC Available for ClamAV Command Injection Bug (CVE-2024-20328)

A proof-of-concept (PoC) for CVE-2024-20328, a critical vulnerability in ClamAV, a popular open-source antivirus engine, that allows arbitrary code execution, was published.

The vulnerability exploits the unsuspecting nature of ClamAV’s VirusEvent feature. It is here, in the parsing of a file name, that the gates are left ajar. A carefully crafted file name can become the conduit for a command injection vulnerability, allowing nefarious actors to execute arbitrary code on systems running ClamAV’s daemon, clamd.

Since ClamAV is being used as an antivirus engine to scan files especially in mail servers, this vulnerability can be exploited by an attacker to execute arbitrary code on the system running ClamAV – clamd from remote without user interaction,” the researcher warned.

CVE-2024-20328 PoC

Affected versions of ClamAV span from 0.104 to the 1.2.1 patch, covering a wide swath of installations across various environments. This range includes long-term support (LTS) versions, which are often deployed in critical infrastructures for their stability and reliability. ClamAV 1.2.2 and ClamAV 1.0.5 were released to patch this flaw.

Security researcher Amit Schendel, not only unveiled the existence of this flaw but also provided the technical roadmap for its exploitation, shedding light on the inner workings of this vulnerability.

The root cause of this security flaw is the VirusEvent feature, a well-intentioned mechanism designed to alert system administrators of detected viruses by executing a predefined command. For example, a command such as `VirusEvent /usr/local/bin/send_sms 123456789 “VIRUS ALERT: %v in %f”` is meant to send an SMS alert with details of the detected threat.

Where %v is the virus name and %f is the file name. The file name is not sanitized, allowing an attacker to inject a command into the command string. VirusEvent is a configuration option in the clamd.conf file. The command is executed with the privileges of the user running Clamd,” the researcher wrote.

Delving deeper into the mechanics, the clamd source code reveals the sequence of actions leading to the execution of the VirusEvent command. The process involves environmental variable manipulation, memory allocation for the command string, and the spawning of a child process to carry out the command—a process marred by the absence of command sanitization.

The crux of the matter lies in a line of code that, while seemingly innocuous, opens the floodgates to exploitation: `_exit(execle(“/bin/sh”, “sh”, “-c”, buffer_cmd, NULL, env));`. This line, intended to execute the VirusEvent command, becomes the Achilles’ heel of the system when the command string is tainted.

By configuring the VirusEvent to log a message upon detection, an attacker could craft a file name that, when scanned, triggers the execution of arbitrary commands, effectively giving the attacker a foothold in the system.

To demonstrate his findings, Amit Schendel created a proof-of-concept (PoC) to exploit CVE-2024-20328:

  1. Assuming clamd.conf is configured as follows:
    VirusEvent "echo VIRUS DETECTED: %v in the path %f >> /dev/stdout"
  2. The following file name will cause the command to be executed:
    # xmrig;whoami; - payload.
    echo VIRUS DETECTED: [signature] in the path xmrig;whoami; >> /dev/stdout
  3. Output:
    VIRUS DETECTED: Multios.Coinminer.Miner-6781728-2.UNOFFICIAL in the path
    /host/crypto-miner/xmrig
    root