CVE-2004-1876

Vulnerability

In Clam AntiVirus daemon (clamd) versions prior to 0.70, the VirusEvent configuration directive supports a %f placeholder that is replaced with the name of the infected file [1][2][3]. The file name is not sanitized before being inserted into the command string, allowing shell metacharacters (e.g., backticks, semicolons) to be interpreted by the shell when the command is executed. This issue affects all configurations where VirusEvent contains %f [2][3].

Exploitation

An attacker who can cause clamd to scan a file with a crafted file name (for example, by sending an email with a virus attachment named ;command or similar) can exploit this vulnerability [2][3]. When clamd detects a virus in that file, it triggers the VirusEvent and substitutes the malicious filename, leading to execution of the attacker-supplied commands [2]. The attacker does not require authentication to the scanning system beyond the ability to introduce a file that clamd will scan [2][3].

Impact

Successful exploitation allows arbitrary command execution with the privileges of the clamd process, which often runs as root [2][3]. An attacker can fully compromise the affected system, install malware, exfiltrate data, or pivot to other hosts [3].

Mitigation

Upgrade to ClamAV version 0.70 or later, which disables the %f feature [2][3]. Users who cannot immediately upgrade should remove any use of %f from the VirusEvent directive in clamav.conf [2][3]. The Gentoo GLSA 200405-03 provides specific upgrade instructions for Gentoo systems [3].