Vulnerability Name:

CVE-2009-1601 (CCN-50311)

Assigned:2009-04-27
Published:2009-04-27
Updated:2017-08-17
Summary:The Ubuntu clamav-milter.init script in clamav-milter before 0.95.1+dfsg-1ubuntu1.2 in Ubuntu 9.04 sets the ownership of the current working directory to the clamav account, which might allow local users to bypass intended access restrictions via read or write operations involving this directory.
Per https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/365823

A clean install of clamav-milter (0.95.1+dfsg-1ubuntu1.1) causes the root directory to become owned by the clamav user.

This was witnessed breaking ssh chroot environment.

TEST CASE:
- purge any existing clamav-milter installation, make sure you don't have any old /etc/init.d/clamav-milter init script around
- check root directory's owner (should be root:root)
- sudo apt-get install clamav-milter (the last one in Jaunty is 0.95.1+dfsg-1ubuntu1.1)
- after installing the package, clamav-milter will start automatically (at least 'init.d/clamav-milter start' will execute)
- check the root directory's owner:
CVSS v3 Severity:4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
5.0 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
1.6 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-264
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2009-1601

Source: SECUNIA
Type: Vendor Advisory
35000

Source: CCN
Type: ClamAV Web site
Clam AntiVirus

Source: CCN
Type: OSVDB ID: 54524
clamav-milter clamav-milter.init on Ubuntu Directory Permission Weakness Local Restriction Bypass

Source: BID
Type: Patch
34818

Source: CCN
Type: BID-34818
ClamAV 'clamav-milter' Initscript File Permission Vulnerability

Source: UBUNTU
Type: Vendor Advisory
USN-770-1

Source: CCN
Type: Ubuntu launchpad Bug #363796
clamav-milter init script fails on pidfile

Source: XF
Type: UNKNOWN
clamav-clamavmilter-security-bypass(50311)

Source: XF
Type: UNKNOWN
clamav-clamavmilter-security-bypass(50311)

Source: CONFIRM
Type: UNKNOWN
https://launchpad.net/bugs/365823

Vulnerable Configuration:Configuration 1:
  • cpe:/o:ubuntu:linux:9.04:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:clamav:clamav:0.95.1:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ubuntu:linux:9.04:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ubuntu linux 9.04
    clamav clamav 0.95.1
    ubuntu linux 9.04