CVE-2009-1601

Vulnerability

The clamav-milter init script in Ubuntu 9.04 (package version 0.95.1+dfsg-1ubuntu1.1 and earlier) changes the ownership of the current working directory to the clamav user during startup. This occurs because the script does not properly handle directory ownership, and when run from a directory such as /, it sets that directory's owner to clamav. The affected package is clamav-milter before 0.95.1+dfsg-1ubuntu1.2 [1][2].

Exploitation

An attacker with local access can exploit this by waiting for the clamav-milter service to start (e.g., during package installation or system boot). The init script runs with root privileges and changes the ownership of the current working directory to the clamav user. If the current directory is a system directory like /, the attacker can then read or write files in that directory as the clamav user, potentially bypassing intended access controls. No authentication beyond local access is required [1][2].

Impact

Successful exploitation allows a local attacker to gain read and write access to directories that were previously owned by root, such as /. This can lead to unauthorized modification of system files, disruption of services (e.g., breaking SSH chroot environments), and potential privilege escalation if the attacker can leverage the clamav user's access to further compromise the system [1][2].

Mitigation

The fix is included in clamav-milter version 0.95.1+dfsg-1ubuntu1.2 for Ubuntu 9.04, released on 4 May 2009 [1]. Users should update to this version. Additionally, administrators can run sudo find -H / -type d -user clamav ! -group clamav 2>/dev/null to identify any directories with incorrect ownership and manually correct them [1]. No workaround is provided for unpatched systems other than updating.