clamd DoS?

Hugo van der Kooij hvdkooij at vanderkooij.org
Mon Sep 15 21:41:59 IST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Miller wrote:
> Julian Field wrote:
> 
>> In /usr/sbin/MailScanner there are a couple of calls to "Explode".
>> Immediately after them, add a line saying
>>     exit;
>> and it will stop straight after the attachment unpacking.
>> Then you can go into /var/spool/MailScanner/incoming, find the
>> relevant directory and see what attachments it pulled out.
>> Then try clamscan-ing them by hand. If the attachments look okay in
>> that directory, then it's a clamd issue I think. I would be
>> interested to see what clamscan makes of them when run by hand.
> 
> I was seeing a number of spam messages coming in w/the subject "Credit
> card transaction report".  Every now and then one would get tagged as a
> virus, but most weren't.  However, I went into MailWatch, selected one
> that wasn't marked as viral and saved the attached Report.zip to my
> linux workstation.  Ark extracted the file report.doc.exe.  I kicked off
> top in a term window, opened another terminal and ran 'clamscan
> report.doc.exe'.  W/in a couple seconds CPU utilization was pegged.

So if you can do this on a plain file with just ClamAV as a factor I
would think you have all the stuff that is needed to report a bug with
the ClamAV team.

If that is the case would you be kind enough to report the bug to the
ClamAV team?

Hugo.

- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

	A: Yes.
	>Q: Are you sure?
	>>A: Because it reverses the logical flow of conversation.
	>>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFIzsiUBvzDRVjxmYERAqpmAJ0boKU5chAkI7TDONQ57+zwweQmSACfWwK7
VU+DFDsCiGs0AvFEpfCYiJw=
=Iutn
-----END PGP SIGNATURE-----


More information about the MailScanner mailing list