Nmap clamav-exec NSE Script

This page contains detailed information about how to use the clamav-exec NSE script. For list of all NSE scripts, visit the Nmap NSE Library.

Select:	Overview	Error Messages

Script Overview

Script source code: https://github.com/nmap/nmap/tree/master/scripts/clamav-exec.nse
Script categories: exploit, vuln
Target service / protocol: clam
Target network port(s): 3310
List of CVEs: -

Script Description

The clamav-exec.nse script exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.

ClamAV server 0.99.2, and possibly other previous versions, allow the execution of dangerous service commands without authentication. Specifically, the command 'SCAN' may be used to list system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).

This script without arguments test the availability of the command 'SCAN'.

Reference:

Clamav-exec NSE Script Arguments

This is a full list of arguments supported by the clamav-exec.nse script:

clamav-exec.cmd

Command to execute. Option: scan and shutdown

clamav-exec.scandb

Database to file list.

vulns.short

If set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.

vulns.showall

If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.

- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:

nmap --script=clamav-exec --script-args clamav-exec.cmd=value,clamav-exec.scandb=value <target>

Clamav-exec NSE Script Example Usage

Here's an example of how to use the clamav-exec.nse script:

nmap -sV --script clamav-exec <target>

nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>

nmap --script clamav-exec --script-args cmd='shutdown' <target>

Clamav-exec NSE Script Example Output

Here's a sample output from the clamav-exec.nse script:

PORT     STATE SERVICE VERSION
3310/tcp open  clam    ClamAV 0.99.2 (21714)
| clamav-exec:
|   VULNERABLE:
|   ClamAV Remote Command Execution
|     State: VULNERABLE
|       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
|       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
|       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
|       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
|
|     Disclosure date: 2016-06-8
|     Extra information:
|       SCAN command is enabled.
|     References:
|       https://bugzilla.clamav.net/show_bug.cgi?id=11585
|_      https://twitter.com/nitr0usmx/status/740673507684679680

Clamav-exec NSE Script Example XML Output

Here's a sample XML output from the clamav-exec.nse script produced by providing the -oX <file> Nmap option:

 <table key="NMAP-1">
 <elem key="title">ClamAV Remote Command Execution</elem>
 <elem key="state">VULNERABLE</elem>
 <table key="description">
 <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution
 of the &#xa;clamav commands SCAN and SHUTDOWN without authentication.
 The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and
 the command &apos;SHUTDOWN&apos; shut downs the &#xa;service.
 This vulnerability was discovered by Alejandro Hernandez (nitr0us).&#xa;</elem>
 </table>
 <table key="dates">
 <table key="disclosure">
 <elem key="year">2016</elem>
 <elem key="day">8</elem>
 <elem key="month">06</elem>
 </table>
 </table>
 <elem key="disclosure">2016-06-8</elem>
 <table key="extra_info">
 <elem>SCAN command is enabled.</elem>
 </table>
 <table key="refs">
 <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>
 <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>
 </table>
 </table>

Author

Paulino Calderon <calderon()websec.mx>

References

Failed to send SCAN command:%s

Here is a relevant code snippet related to the "Failed to send SCAN command:%s" error message:

102:	  local status, data
103:	
104:	  if not file then
105:	    status, data = comm.exchange(host, port, "SCAN /trinity/loves/nmap")
106:	    if not status then
107:	      stdnse.debug1("Failed to send SCAN command:%s", data)
108:	      return nil
109:	    end
110:	
111:	    if data and data:match("No such file") then
112:	      stdnse.debug1("SCAN command enabled.")

Failed to send 'SCAN %s' command:%s

Here is a relevant code snippet related to the "Failed to send 'SCAN %s' command:%s" error message:

113:	      return true, nil
114:	    end
115:	  else
116:	    status, data = comm.exchange(host, port, "SCAN " .. file)
117:	    if not status then
118:	      stdnse.debug1("Failed to send 'SCAN %s' command:%s", file, data)
119:	      return nil
120:	    end
121:	    if data and data:match("OK") then
122:	        stdnse.debug1("File '%s' exists", file)
123:	        return true, true

Failed to send PING command:%s

Here is a relevant code snippet related to the "Failed to send PING command:%s" error message:

131:	end
132:	
133:	local function check_clam(host, port)
134:	  local status, data = comm.exchange(host, port, "PING")
135:	  if not status then
136:	    stdnse.debug1("Failed to send PING command:%s", data)
137:	    return nil
138:	  end
139:	  if data and data:match("PONG") then
140:	    stdnse.debug1("PONG response received")
141:	    return true

Version

This page has been created based on Nmap version 7.92.

Go back to menu.

Nmap clamav-exec NSE Script

Script Overview

Script Description

Clamav-exec NSE Script Arguments

Clamav-exec NSE Script Example Usage

Clamav-exec NSE Script Example Output

Clamav-exec NSE Script Example XML Output

Author

References

See Also

Failed to send SCAN command:%s

Failed to send 'SCAN %s' command:%s

Failed to send PING command:%s

Version

Nessus Plugin Library

Solving Problems with Office 365 Email from GoDaddy

Empire Module Library

CrackMapExec Module Library

Metasploit Android Modules

Top 16 Active Directory Vulnerabilities

Top 10 Vulnerabilities: Internal Infrastructure Pentest

Terminal Escape Injection

Cisco Password Cracking and Decrypting Guide

Capture Passwords using Wireshark

SSH Brute Force Attack Tool using PuTTY / Plink (ssh-putty-brute.ps1)

SMB Brute Force Attack Tool in PowerShell (SMBLogin.ps1)

Port Scanner in PowerShell (TCP/UDP)

Nessus CSV Parser and Extractor

Default Password Scanner (default-http-login-hunter.sh)