CVE-2007-6595

Step 1: Target Selection: The attacker identifies a target file to overwrite (e.g., /etc/passwd).

Step 2: Symlink Creation: The attacker creates a symbolic link (symlink) with a predictable name, pointing to the target file. This symlink is usually created in a location where ClamAV will create a temporary file.

Step 3: Triggering ClamAV: The attacker triggers ClamAV to create a temporary file. This can be done by submitting a specially crafted file to be scanned or by using sigtool with UTF-16 decoding enabled.

Step 4: Race Condition: ClamAV creates a temporary file (or uses an .ascii file) without properly checking for the existence of a symlink with the same name. Due to the race condition, the attacker's symlink is in place before the file is created.

Step 5: File Overwrite: ClamAV writes data to the temporary file. Because of the symlink, this write operation actually overwrites the target file (e.g., /etc/passwd).

Step 6: System Compromise: The attacker uses the overwritten file (e.g., a modified /etc/passwd with a new user) to gain unauthorized access or escalate privileges.

The vulnerability stems from a race condition in how ClamAV handles temporary files and .ascii files when UTF-16 decoding is enabled. The cli_gentempfd function in libclamav/others.c and the sigtool utility create temporary files without properly checking for or preventing symlink attacks. An attacker can create a symlink pointing to a sensitive file (e.g., /etc/passwd, a configuration file, or a system binary). When ClamAV attempts to write to the temporary file, it actually writes to the target of the symlink, leading to arbitrary file overwrite. The flaw is exacerbated by the lack of proper input validation and insufficient checks for the existence and ownership of the target file before writing. This allows an attacker to control the contents of critical system files.