Source: cve@mitre.org
ClamAV 0.92 allows local users to overwrite arbitrary files via a symlink attack on (1) temporary files used by the cli_gentempfd function in libclamav/others.c or on (2) .ascii files used by sigtool, when utf16-decode is enabled.
ClamAV 0.92 is vulnerable to a symlink attack, allowing local users to overwrite arbitrary files. This can lead to system compromise by manipulating temporary files or files used by the sigtool utility, potentially enabling privilege escalation or data corruption.
Step 1: Symlink Creation: The attacker creates a symbolic link (symlink) that points from a temporary file location (e.g., /tmp/clamav-temp-file) to a target file they wish to overwrite (e.g., /etc/passwd).
Step 2: Triggering ClamAV/sigtool: The attacker triggers ClamAV or sigtool to create or use a temporary file. This could involve scanning a specially crafted file, or using sigtool with the UTF-16 decode option enabled.
Step 3: Race Condition: Due to the race condition, ClamAV or sigtool attempts to write to the temporary file, but because of the symlink, the write operation is redirected to the target file.
Step 4: File Overwrite: The contents intended for the temporary file are written to the target file, overwriting its contents. This could include malicious data, depending on the target file and the attacker's goals.
The vulnerability stems from a race condition in how ClamAV handles temporary files and the .ascii files used by sigtool when UTF-16 decoding is enabled. The cli_gentempfd function in libclamav/others.c and the sigtool utility create temporary files without properly checking for or mitigating symlink attacks. A malicious local user can exploit this by creating a symlink pointing to a sensitive file (e.g., /etc/passwd, a configuration file, or a system binary). When ClamAV or sigtool attempts to write to the temporary file, it instead writes to the target file specified by the symlink, leading to arbitrary file overwrite. The flaw lies in the lack of proper validation and sanitization of file paths before writing to them, allowing the attacker to control the destination of the write operation. The use of UTF-16 decoding further expands the attack surface by introducing additional file handling operations that are vulnerable to symlink attacks.
While no specific APTs are known to exclusively target this vulnerability, it is a low-hanging fruit that could be leveraged by various actors. The ease of exploitation makes it attractive for opportunistic attacks. Not listed on CISA KEV due to its age and the fact that it is a local privilege escalation vulnerability.
Monitor file system activity for suspicious symlink creation, especially in temporary directories like /tmp and /var/tmp.
Analyze ClamAV and sigtool logs for unusual file operations or errors related to temporary files or .ascii files.
Implement file integrity monitoring (FIM) to detect changes to critical system files (e.g., /etc/passwd, /etc/shadow).
Monitor for unexpected modifications to ClamAV configuration files or signature databases.
Network-based detection is less relevant for this local privilege escalation vulnerability.
Upgrade to a patched version of ClamAV (version 0.92.1 or later).
Implement proper input validation and sanitization in file handling operations to prevent symlink attacks. Specifically, ensure that temporary files are created with unique names and that the file path is checked before writing to it.
Use O_NOFOLLOW flag when opening files to prevent symlink traversal.
Restrict the permissions of temporary directories to prevent unauthorized access and modification.
Regularly audit system configurations and file permissions to identify and address potential vulnerabilities.
Implement a defense-in-depth strategy, including intrusion detection and prevention systems (IDS/IPS) and file integrity monitoring (FIM).