2018-12-17 11:47:18 -05:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2015 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
|
|
|
|
* Copyright (C) 2009 Sourcefire, Inc.
|
|
|
|
|
*
|
2019-05-30 13:29:02 -04:00
|
|
|
* Authors: Tomasz Kojm, aCaB, Mickey Sola
|
2018-12-17 11:47:18 -05:00
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#if HAVE_CONFIG_H
|
|
|
|
|
#include "clamav-config.h"
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#if defined(C_SOLARIS)
|
|
|
|
|
#ifndef __EXTENSIONS__
|
|
|
|
|
#define __EXTENSIONS__
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* must be first because it may define _XOPEN_SOURCE */
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
#include "fdpassing.h"
|
2018-12-17 11:47:18 -05:00
|
|
|
#include <stdio.h>
|
2019-04-25 16:11:39 -04:00
|
|
|
#include <curl/curl.h>
|
2018-12-17 11:47:18 -05:00
|
|
|
#ifdef HAVE_UNISTD_H
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#endif
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
|
|
|
#include <sys/select.h>
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef _WIN32
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/un.h>
|
|
|
|
|
#include <netdb.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
// libclamav
|
|
|
|
|
#include "clamav.h"
|
|
|
|
|
#include "others.h"
|
|
|
|
|
|
|
|
|
|
// shared
|
|
|
|
|
#include "actions.h"
|
|
|
|
|
#include "output.h"
|
|
|
|
|
#include "misc.h"
|
2018-12-17 11:47:18 -05:00
|
|
|
|
2019-07-25 12:21:07 -04:00
|
|
|
#include "communication.h"
|
|
|
|
|
#include "protocol.h"
|
|
|
|
|
#include "client.h"
|
2018-12-17 11:47:18 -05:00
|
|
|
|
2019-07-25 12:42:08 -04:00
|
|
|
static const char *scancmd[] = {"CONTSCAN", "MULTISCAN", "INSTREAM", "FILDES", "ALLMATCHSCAN"};
|
2018-12-17 11:47:18 -05:00
|
|
|
|
|
|
|
|
/* Issues an INSTREAM command to clamd and streams the given file
|
|
|
|
|
* Returns >0 on success, 0 soft fail, -1 hard fail */
|
2019-07-25 12:42:08 -04:00
|
|
|
static int onas_send_stream(CURL *curl, const char *filename, int fd, int64_t timeout, uint64_t maxstream)
|
|
|
|
|
{
|
|
|
|
|
uint32_t buf[BUFSIZ / sizeof(uint32_t)];
|
|
|
|
|
uint64_t len;
|
|
|
|
|
uint64_t todo = maxstream;
|
|
|
|
|
int ret = 1;
|
|
|
|
|
int close_flag = 0;
|
|
|
|
|
|
|
|
|
|
if (0 == fd) {
|
|
|
|
|
if (filename) {
|
|
|
|
|
if ((fd = safe_open(filename, O_RDONLY | O_BINARY)) < 0) {
|
|
|
|
|
logg("~%s: Access denied. ERROR\n", filename);
|
|
|
|
|
return 0;
|
2019-05-22 15:36:54 -04:00
|
|
|
}
|
2019-07-25 12:42:08 -04:00
|
|
|
//logg("DEBUG: >>>>> fd is %d\n", fd);
|
|
|
|
|
close_flag = 1;
|
|
|
|
|
} else {
|
|
|
|
|
fd = 0;
|
2019-05-22 15:36:54 -04:00
|
|
|
}
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (onas_sendln(curl, "zINSTREAM", 10, timeout)) {
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto strm_out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while ((len = read(fd, &buf[1], sizeof(buf) - sizeof(uint32_t))) > 0) {
|
|
|
|
|
if ((uint64_t)len > todo) len = todo;
|
|
|
|
|
buf[0] = htonl(len);
|
|
|
|
|
if (onas_sendln(curl, (const char *)buf, len + sizeof(uint32_t), timeout)) {
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto strm_out;
|
|
|
|
|
}
|
|
|
|
|
todo -= len;
|
|
|
|
|
if (!todo) {
|
|
|
|
|
len = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-04-04 10:43:19 -04:00
|
|
|
|
2019-07-25 12:42:08 -04:00
|
|
|
if (len) {
|
|
|
|
|
logg("!Failed to read from %s.\n", filename ? filename : "STDIN");
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto strm_out;
|
|
|
|
|
}
|
|
|
|
|
*buf = 0;
|
|
|
|
|
onas_sendln(curl, (const char *)buf, 4, timeout);
|
2019-05-30 13:29:02 -04:00
|
|
|
|
|
|
|
|
strm_out:
|
2019-07-25 12:42:08 -04:00
|
|
|
if (close_flag) {
|
|
|
|
|
//logg("DEBUG: >>>>> closed fd %d\n", fd);
|
|
|
|
|
close(fd);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
2018-12-17 11:47:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_FD_PASSING
|
|
|
|
|
/* Issues a FILDES command and pass a FD to clamd
|
|
|
|
|
* Returns >0 on success, 0 soft fail, -1 hard fail */
|
2019-07-25 12:42:08 -04:00
|
|
|
static int onas_send_fdpass(CURL *curl, const char *filename, int fd, int64_t timeout)
|
|
|
|
|
{
|
|
|
|
|
CURLcode result;
|
|
|
|
|
struct iovec iov[1];
|
|
|
|
|
struct msghdr msg;
|
|
|
|
|
struct cmsghdr *cmsg;
|
|
|
|
|
unsigned char fdbuf[CMSG_SPACE(sizeof(int))];
|
|
|
|
|
char dummy[] = "";
|
|
|
|
|
int ret = 1;
|
|
|
|
|
int close_flag = 0;
|
|
|
|
|
|
|
|
|
|
if (0 == fd) {
|
|
|
|
|
if (filename) {
|
|
|
|
|
if ((fd = open(filename, O_RDONLY)) < 0) {
|
|
|
|
|
logg("~%s: Access denied. ERROR\n", filename);
|
|
|
|
|
return 0;
|
2019-05-22 15:36:54 -04:00
|
|
|
}
|
2019-07-25 12:42:08 -04:00
|
|
|
close_flag = 1;
|
|
|
|
|
} else {
|
|
|
|
|
fd = 0;
|
2019-05-22 15:36:54 -04:00
|
|
|
}
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
2020-01-28 14:05:44 -05:00
|
|
|
|
|
|
|
|
result = onas_sendln(curl, "zFILDES", 8, timeout);
|
|
|
|
|
|
|
|
|
|
if (result) {
|
2019-07-25 12:42:08 -04:00
|
|
|
logg("*ClamProto: error sending w/ curl, %s\n", curl_easy_strerror(result));
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto fd_out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
iov[0].iov_base = dummy;
|
|
|
|
|
iov[0].iov_len = 1;
|
|
|
|
|
memset(&msg, 0, sizeof(msg));
|
|
|
|
|
msg.msg_control = fdbuf;
|
|
|
|
|
msg.msg_iov = iov;
|
|
|
|
|
msg.msg_iovlen = 1;
|
|
|
|
|
msg.msg_controllen = CMSG_LEN(sizeof(int));
|
|
|
|
|
cmsg = CMSG_FIRSTHDR(&msg);
|
|
|
|
|
cmsg->cmsg_len = CMSG_LEN(sizeof(int));
|
|
|
|
|
cmsg->cmsg_level = SOL_SOCKET;
|
|
|
|
|
cmsg->cmsg_type = SCM_RIGHTS;
|
|
|
|
|
*(int *)CMSG_DATA(cmsg) = fd;
|
|
|
|
|
if (onas_sendln(curl, &msg, 0, timeout) == -1) {
|
|
|
|
|
logg("!FD send failed: %s\n", strerror(errno));
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto fd_out;
|
|
|
|
|
}
|
2019-05-30 13:29:02 -04:00
|
|
|
fd_out:
|
2019-07-25 12:42:08 -04:00
|
|
|
if (close_flag) {
|
|
|
|
|
close(fd);
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
2018-12-17 11:47:18 -05:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Sends a proper scan request to clamd and parses its replies
|
|
|
|
|
* This is used only in non IDSESSION mode
|
|
|
|
|
* Returns the number of infected files or -1 on error
|
|
|
|
|
* NOTE: filename may be NULL for STREAM scantype. */
|
2019-07-25 12:42:08 -04:00
|
|
|
int onas_dsresult(CURL *curl, int scantype, uint64_t maxstream, const char *filename, int fd, int64_t timeout, int *printok, int *errors, cl_error_t *ret_code)
|
|
|
|
|
{
|
|
|
|
|
int infected = 0, len = 0, beenthere = 0;
|
|
|
|
|
char *bol, *eol;
|
|
|
|
|
struct RCVLN rcv;
|
|
|
|
|
STATBUF sb;
|
|
|
|
|
|
|
|
|
|
onas_recvlninit(&rcv, curl);
|
|
|
|
|
|
|
|
|
|
switch (scantype) {
|
|
|
|
|
case MULTI:
|
|
|
|
|
case CONT:
|
|
|
|
|
case ALLMATCH:
|
|
|
|
|
if (!filename) {
|
|
|
|
|
logg("Filename cannot be NULL for MULTISCAN or CONTSCAN.\n");
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_ENULLARG;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
len = strlen(filename) + strlen(scancmd[scantype]) + 3;
|
|
|
|
|
if (!(bol = malloc(len))) {
|
|
|
|
|
logg("!Cannot allocate a command buffer: %s\n", strerror(errno));
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EMEM;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
sprintf(bol, "z%s %s", scancmd[scantype], filename);
|
|
|
|
|
if (onas_sendln(curl, bol, len, timeout)) {
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EWRITE;
|
|
|
|
|
}
|
|
|
|
|
free(bol);
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
free(bol);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case STREAM:
|
|
|
|
|
/* NULL filename safe in send_stream() */
|
|
|
|
|
len = onas_send_stream(curl, filename, fd, timeout, maxstream);
|
|
|
|
|
break;
|
2018-12-17 11:47:18 -05:00
|
|
|
#ifdef HAVE_FD_PASSING
|
2019-07-25 12:42:08 -04:00
|
|
|
case FILDES:
|
|
|
|
|
/* NULL filename safe in send_fdpass() */
|
|
|
|
|
len = onas_send_fdpass(curl, filename, fd, timeout);
|
|
|
|
|
break;
|
2018-12-17 11:47:18 -05:00
|
|
|
#endif
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (len <= 0) {
|
|
|
|
|
*printok = 0;
|
|
|
|
|
if (errors)
|
|
|
|
|
(*errors)++;
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = len;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while ((len = onas_recvln(&rcv, &bol, &eol, timeout))) {
|
|
|
|
|
if (len == -1) {
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EREAD;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
beenthere = 1;
|
|
|
|
|
if (!filename) {
|
|
|
|
|
logg("~%s\n", bol);
|
|
|
|
|
}
|
|
|
|
|
if (len > 7) {
|
|
|
|
|
char *colon = strrchr(bol, ':');
|
|
|
|
|
|
|
|
|
|
if (colon && colon[1] != ' ') {
|
|
|
|
|
char *br;
|
|
|
|
|
*colon = 0;
|
|
|
|
|
|
|
|
|
|
br = strrchr(bol, '(');
|
|
|
|
|
if (br) {
|
|
|
|
|
*br = 0;
|
|
|
|
|
}
|
|
|
|
|
colon = strrchr(bol, ':');
|
|
|
|
|
}
|
2018-12-17 11:47:18 -05:00
|
|
|
|
2019-07-25 12:42:08 -04:00
|
|
|
if (!colon) {
|
|
|
|
|
char *unkco = "UNKNOWN COMMAND";
|
|
|
|
|
if (!strncmp(bol, unkco, sizeof(unkco) - 1)) {
|
|
|
|
|
logg("*clamd replied \"UNKNOWN COMMAND\". Command was %s\n",
|
|
|
|
|
(scantype < 0 || scantype > MAX_SCANTYPE) ? "unidentified" : scancmd[scantype]);
|
|
|
|
|
} else {
|
|
|
|
|
logg("*Failed to parse reply: \"%s\"\n", bol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EPARSE;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
|
|
|
|
|
} else if (!memcmp(eol - 7, " FOUND", 6)) {
|
|
|
|
|
static char last_filename[PATH_MAX + 1] = {'\0'};
|
|
|
|
|
*(eol - 7) = 0;
|
|
|
|
|
*printok = 0;
|
|
|
|
|
|
|
|
|
|
if (scantype != ALLMATCH) {
|
|
|
|
|
infected++;
|
|
|
|
|
} else {
|
|
|
|
|
if (filename != NULL && strcmp(filename, last_filename)) {
|
|
|
|
|
infected++;
|
|
|
|
|
strncpy(last_filename, filename, PATH_MAX);
|
|
|
|
|
last_filename[PATH_MAX] = '\0';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (filename) {
|
|
|
|
|
if (scantype >= STREAM) {
|
|
|
|
|
logg("~%s%s FOUND\n", filename, colon);
|
|
|
|
|
if (action) {
|
|
|
|
|
action(filename);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
logg("~%s FOUND\n", bol);
|
|
|
|
|
*colon = '\0';
|
|
|
|
|
if (action) {
|
|
|
|
|
action(bol);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_VIRUS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
} else if (len > 49 && !memcmp(eol - 50, " lstat() failed: No such file or directory. ERROR", 49)) {
|
|
|
|
|
if (errors) {
|
|
|
|
|
(*errors)++;
|
|
|
|
|
}
|
|
|
|
|
*printok = 0;
|
|
|
|
|
|
|
|
|
|
if (filename) {
|
|
|
|
|
(scantype >= STREAM) ? logg("*%s%s\n", filename, colon) : logg("*%s\n", bol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_ESTAT;
|
|
|
|
|
}
|
|
|
|
|
} else if (len > 41 && !memcmp(eol - 42, " lstat() failed: Permission denied. ERROR", 41)) {
|
|
|
|
|
if (errors) {
|
|
|
|
|
(*errors)++;
|
|
|
|
|
}
|
|
|
|
|
*printok = 0;
|
|
|
|
|
|
|
|
|
|
if (filename) {
|
|
|
|
|
(scantype >= STREAM) ? logg("*%s%s\n", filename, colon) : logg("*%s\n", bol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_ESTAT;
|
|
|
|
|
}
|
|
|
|
|
} else if (len > 21 && !memcmp(eol - 22, " Access denied. ERROR", 21)) {
|
|
|
|
|
if (errors) {
|
|
|
|
|
(*errors)++;
|
|
|
|
|
}
|
|
|
|
|
*printok = 0;
|
|
|
|
|
|
|
|
|
|
if (filename) {
|
|
|
|
|
(scantype >= STREAM) ? logg("*%s%s\n", filename, colon) : logg("*%s\n", bol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EACCES;
|
|
|
|
|
}
|
|
|
|
|
} else if (!memcmp(eol - 7, " ERROR", 6)) {
|
|
|
|
|
if (errors) {
|
|
|
|
|
(*errors)++;
|
|
|
|
|
}
|
|
|
|
|
*printok = 0;
|
|
|
|
|
|
|
|
|
|
if (filename) {
|
|
|
|
|
(scantype >= STREAM) ? logg("~%s%s\n", filename, colon) : logg("~%s\n", bol);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_ESTATE;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!beenthere) {
|
|
|
|
|
if (!filename) {
|
|
|
|
|
logg("STDIN: noreply from clamd\n.");
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EACCES;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
if (CLAMSTAT(filename, &sb) == -1) {
|
|
|
|
|
logg("~%s: stat() failed with %s, clamd may not be responding\n",
|
|
|
|
|
filename, strerror(errno));
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EACCES;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
if (!S_ISDIR(sb.st_mode)) {
|
|
|
|
|
logg("~%s: no reply from clamd\n", filename);
|
|
|
|
|
if (ret_code) {
|
|
|
|
|
*ret_code = CL_EACCES;
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
infected = -1;
|
|
|
|
|
goto done;
|
2019-07-25 12:42:08 -04:00
|
|
|
}
|
|
|
|
|
}
|
clamd clients: Mitigate move/remove symlink attack
A malicious user could replace a scan target's directory with a symlink
to another path to trick clamscan, clamdscan, or clamonacc into removing
or moving a different file (eg. a critical system file). The issue would
affect users that use the `--move` or `--remove` options for clamscan,
clamdscan, and clamonacc.
This patch gets the real path for the scan target before the scan,
and if the file alerts and the --move or --remove quarantine features
are used, it mitigates the symlink attack by traversing the path one
directory at a time until reaching the leaf directory where the scan
target file resides before unlinking (or renaming) the file directly.
This commit applies a similar tactic used in the previous commit for
Windows builds, using the Win32 Native API to traverse a path and delete
or move files by handle rather than by file path.
I had some trouble using SetFileInformationByHandle to rename a file by
handle, so for Windows instead it will copy the file to the new location
and then use the safe unlink technique to remove the old file. If the
symlink attack occurs, the unlink will fail, and the system will not be
damaged.
For more information about AV quarantine attacks using links, see the
[RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software)
2020-07-01 22:21:40 -07:00
|
|
|
|
|
|
|
|
done:
|
2019-07-25 12:42:08 -04:00
|
|
|
return infected;
|
|
|
|
|
}
|