nuclei-templates/network/misconfig/clamav-unauth.yaml

id: clamav-unauth

info:
  name: ClamAV Server - Unauthenticated Access
  author: dwisiswant0
  severity: high
  description: |
    ClamAV server 0.99.2, and possibly other previous versions, allow the execution
    of dangerous service commands without authentication. Specifically, the command 'SCAN'
    may be used to list system files and the command 'SHUTDOWN' shut downs the service.
  reference:
    - https://seclists.org/nmap-dev/2016/q2/201
    - https://bugzilla.clamav.net/show_bug.cgi?id=11585
  metadata:
    verified: true
    max-request: 1
    shodan-query: port:3310 product:"ClamAV" version:"0.99.2"
  tags: network,clamav,unauth,seclists,misconfig,tcp
tcp:
  - inputs:
      - data: "SCAN /nonexistent/{{to_lower(rand_text_alpha(10))}}\r\n"
    host:
      - "{{Hostname}}"
    port: 3310
    read-size: 48

    matchers:
      - type: word
        words:
          - "No such"
          - "lstat() failed"
        condition: and
# digest: 4a0a00473045022100c032187977fe43e4983370c78c4bb097110108915159c108c4168913420165780220671f0b9f11939e157c7429da8e4322823782e3da34c314b7bee0d34ba78f2ed7:922c64590222798bb761d5b6d8e72950
Add clamav-unauth 2022-10-24 00:51:53 +00:00			`id: clamav-unauth`

			`info:`
			`name: ClamAV Server - Unauthenticated Access`
			`author: dwisiswant0`
			`severity: high`
			`description: \|`
			`ClamAV server 0.99.2, and possibly other previous versions, allow the execution`
			`of dangerous service commands without authentication. Specifically, the command 'SCAN'`
			`may be used to list system files and the command 'SHUTDOWN' shut downs the service.`
			`reference:`
			`- https://seclists.org/nmap-dev/2016/q2/201`
			`- https://bugzilla.clamav.net/show_bug.cgi?id=11585`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`metadata:`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`verified: true`
TemplateMan Update [Wed Sep 27 13:29:58 UTC 2023] :robot: 2023-09-27 13:29:58 +00:00			`max-request: 1`
			`shodan-query: port:3310 product:"ClamAV" version:"0.99.2"`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`tags: network,clamav,unauth,seclists,misconfig,tcp`
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`tcp:`
Add clamav-unauth 2022-10-24 00:51:53 +00:00			`- inputs:`
			`- data: "SCAN /nonexistent/{{to_lower(rand_text_alpha(10))}}\r\n"`
			`host:`
			`- "{{Hostname}}"`
removed duplicate network request 2023-09-16 19:35:21 +00:00			`port: 3310`
Add clamav-unauth 2022-10-24 00:51:53 +00:00			`read-size: 48`
Update clamav-unauth.yaml 2022-10-25 12:01:33 +00:00
Add clamav-unauth 2022-10-24 00:51:53 +00:00			`matchers:`
			`- type: word`
			`words:`
Update clamav-unauth.yaml 2022-10-25 12:01:33 +00:00			`- "No such"`
			`- "lstat() failed"`
			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a00473045022100c032187977fe43e4983370c78c4bb097110108915159c108c4168913420165780220671f0b9f11939e157c7429da8e4322823782e3da34c314b7bee0d34ba78f2ed7:922c64590222798bb761d5b6d8e72950`