cbcvebase.
CVE-2007-4560
published 2007-08-28

CVE-2007-4560: clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are…

PriorityP272high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
83.54%
99.6th percentile
clamav-milter in ClamAV before 0.91.2, when run in black hole mode, allows remote attackers to execute arbitrary commands via shell metacharacters that are used in a certain popen call, involving the "recipient field of sendmail."

Affected

6 ranges
VendorProductVersion rangeFixed in
clam_anti-virusclamav<= 0.91.1
clamavclamav>= 0 < 0.91.2-1~volatile10.91.2-1~volatile1
clamavclamav>= 0 < 0.91.2-1~volatile10.91.2-1~volatile1
clamavclamav>= 0 < 0.91.2-1~volatile10.91.2-1~volatile1
clamavclamav>= 0 < 0.91.2-1~volatile10.91.2-1~volatile1
debianclamav< clamav 0.91.2-1~volatile1 (bookworm)clamav 0.91.2-1~volatile1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

commandsh msg*
commandrcpt to: > /etc/inetd.conf"@localhost>
  • Detect shell metacharacters injected into the SMTP RCPT TO field targeting clamav-milter in black hole mode; the exploit injects a semicolon-delimited shell command into the recipient address.
  • Detect malicious payload injected into the SMTP From: header as a semicolon-prefixed shell command (e.g., 'From: ;<payload>'), which is written to a clamav-milter temp file and later executed via 'sh msg*'.
  • Monitor for shell execution of wildcard-expanded filenames in /tmp/clamav-* directories, indicative of the 'sh msg*' payload execution technique used by this exploit.
  • Alert on SMTP RCPT TO commands containing shell redirection characters (e.g., >, |) or semicolons, which are the metacharacters exploited in the insecure popen() call.
  • ·The vulnerability is only exploitable when clamav-milter is run with black hole mode enabled; deployments without black hole mode are not affected.
  • ·The exploit targets ClamAV versions prior to 0.91.2; upgrading to 0.91.2 or later resolves the insecure popen() argument escaping issue.

CVSS provenance

nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
osv7.6HIGH
vendor_debian7.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.