Mailing List Archive: ClamAV: devel

Security: contrib/trashscan can be bypassed

Index | Next | Previous | View Threaded

jlick at drivel

Jun 8, 2004, 6:17 AM

Post #1 of 3 (2904 views)
Permalink

Security: contrib/trashscan can be bypassed

The ClamAV package has included a procmail filter called trashscan in
the contrib directory for quite a while now. Unfortunately the filter
has a security bug that allows a virus to bypass the virus scanner quite
simply.

The way trashscan works is it reads in a message, scans it with ClamAV,
then adds an X-Virus-Scan: header to the message. It then causes the
message to be redelivered to the user's mailbox. The recommended
procmail recipe contains as core virus filtering rules:

> # 1. Run TrashScan
> :0
> * multipart
> * !^X-Virus-Scan:
> | $TRASHSCAN
>
> # 2. Filter tagged virus mails
> :0:
> * ^X-Virus-Scan: Suspicious
> mail.virus

In other words, mail is only scanned if there is no X-Virus-Scan: header
on the email. A virus writer would only need to pre-include this header
with something besides Suspicious as the content to cause trashscan
users to not scan the message.

Because of the way trashscan accepts a message and then redelivers it
again, it is difficult to workaround this problem.

Fair Disclosure: I have written a competing procmail filter for ClamAV
called clamassassin. My intent of this bug report is not to disrespect
the author of trashscan or promote my filter instead, but only to
improve the security of the ClamAV package. I was reminded to make this
report as a result of a discussion in the ASRG list (Anti-Spam Research
Group) regarding viruses that forge virus scanner headers.

--
James Lick -- 黎建溥 -- jlick [at] jameslick -- http://jameslick.com/

-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Clamav-devel mailing list
Clamav-devel [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-devel

tk at lodz

Jun 11, 2004, 5:29 PM

Post #2 of 3 (2741 views)
Permalink

Re: Security: contrib/trashscan can be bypassed [In reply to]

On Tue, 08 Jun 2004 21:17:31 +0800
James Lick <jlick [at] drivel> wrote:

> The ClamAV package has included a procmail filter called trashscan in
> the contrib directory for quite a while now. Unfortunately the filter
>
> has a security bug that allows a virus to bypass the virus scanner
> quite simply.
>
> The way trashscan works is it reads in a message, scans it with
> ClamAV, then adds an X-Virus-Scan: header to the message. It then
> causes the message to be redelivered to the user's mailbox. The
> recommended procmail recipe contains as core virus filtering rules:
>
> > # 1. Run TrashScan
> > :0
> > * multipart
> > * !^X-Virus-Scan:
> > | $TRASHSCAN
> >
> > # 2. Filter tagged virus mails
> > :0:
> > * ^X-Virus-Scan: Suspicious
> > mail.virus
>
>
> In other words, mail is only scanned if there is no X-Virus-Scan:
> header on the email. A virus writer would only need to pre-include
> this header with something besides Suspicious as the content to cause
> trashscan users to not scan the message.
>
> Because of the way trashscan accepts a message and then redelivers it
> again, it is difficult to workaround this problem.
>
> Fair Disclosure: I have written a competing procmail filter for
> ClamAV called clamassassin. My intent of this bug report is not to
> disrespect the author of trashscan or promote my filter instead, but
> only to improve the security of the ClamAV package. I was reminded to
> make this report as a result of a discussion in the ASRG list
> (Anti-Spam Research Group) regarding viruses that forge virus scanner
> headers.

Thank you for pointing this out, trashscan will be removed from contrib
ASAP.

--
oo ..... Tomasz Kojm <tkojm [at] clamav>
(\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg
\..........._ 0DCA5A08407D5288279DB43454822DC8985A444B
//\ /\ Sat Jun 12 02:28:23 CEST 2004

maniac at maniac

Jun 13, 2004, 3:52 AM

Post #3 of 3 (2733 views)
Permalink

Re: Security: contrib/trashscan can be bypassed [In reply to]

On Sat, 2004-06-12 at 02:29, Tomasz Kojm wrote:
> On Tue, 08 Jun 2004 21:17:31 +0800
> James Lick <jlick [at] drivel> wrote:
>
> > The ClamAV package has included a procmail filter called trashscan in
> > the contrib directory for quite a while now. Unfortunately the filter
[snip]
> > > # 1. Run TrashScan
> > > :0
> > > * multipart
> > > * !^X-Virus-Scan:
> > > | $TRASHSCAN
> > >
> > > # 2. Filter tagged virus mails
> > > :0:
> > > * ^X-Virus-Scan: Suspicious
> > > mail.virus
[snip]

> Thank you for pointing this out, trashscan will be removed from contrib
> ASAP.

I don't use this feature myself, but this security issue can be fixed
easily. Make the header (X-Virus-Scan:) variable... Include a hostname
or domainname in it, or let the user provide his own.

The default can be seen in some virus-mails, but this protects against
those attacks.

I myself include something along the lines of:
X-Virus-Scanned: scanner.domain.tld

--
Mark Janssen <maniac at maniac.nl>

-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
_______________________________________________
Clamav-devel mailing list
Clamav-devel [at] lists
https://lists.sourceforge.net/lists/listinfo/clamav-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads