search

kylefarris / clamscan

A robust ClamAV virus scanning library supporting scanning files, directories, and streams with local sockets, local/remote TCP, and local clamscan/clamdscan binaries (with failover).
MIT License
236 stars 69 forks source link

Security Fix for Command Injection - huntr.dev #63

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

https://huntr.dev/users/alromh87 has fixed the Command Injection vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/clamscan/pull/3 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/clamscan/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-clamscan

⚙️ Description *

clamscan is a Use Node JS to scan files on your server with ClamAV's clamscan binary or clamdscan daemon. This is especially useful for scanning uploaded files provided by un-trusted sources.

This package are vulnerable to Command Injection, itt is possible to inject arbitrary commands as part of the _is_clamav_binary function located within Index.js.

It should be noted that this vulnerability requires a pre-requisite that a folder should be created with the same command that will be chained to execute, this lowers the risk of this issue.

There is aprevious fix https://github.com/418sec/clamscan/pull/1 that would still allow arbitrarty command execution with one argument

Updated with last changes from upstream

💻 Technical Description *

Avoid creating a string and then splitting, instead pass path directly to cp_execfile(), this way it will be handled as the command, instead of command and argument.

🐛 Proof of Concept (PoC) *

  1. Download latest version from: https://github.com/kylefarris/clamscan
  2. Create poc.js with next content: 
    var Root = require("./");
var fs = require("fs");
var attack_code = "touch vulnerable.txt";
var root = new Root();
fs.mkdir(attack_code, function(){});
root.init({"clamscan": {'path': attack_code}});
  3. execute node poc.js
  4. vulnerable.txt will be created

Captura de pantalla de 2020-10-06 23-39-48

🔥 Proof of Fix (PoF) *

After fix no file is created Captura de pantalla de 2020-10-06 23-40-14

👍 User Acceptance Testing (UAT)

Functionallity unafected

JamieSlome commented 3 years ago

@kylefarris - let me know your thoughts or if you have any questions!

Cheers! 🍰