Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-08-11-0729 Product : ViRobot Linux Server Version : Ver 2.0 Vendor : http://www.hauri.net Class : local (remote?) Criticality : High Operating System(s) : *nix High Level Explanation ************************************************************************ High Level Description : Antivirus software has local security issues What to do : chmod -s all suids in /usr/local/ViRobot/ Technical Details ************************************************************************ Proof Of Concept Status : SNO has PoC code for this issue Low Level Description : Alex Hernandez "Security Specialist" from Spain pointed out to us that a new unix based antivirus solution contained a large number of suids. Based on this information we both began beating on the suids in efforts to expose security issues. ViRobot Linux Server protects your file server from viruses. It can have up-to-date definition files through scheduled update and it scans most compressed file formats. ViRobot Linux Server is very convenient with remote-control function via web access. A user who has the ID and password for the server, can access ViRobot on the server from any computer via web browser. Please have a safe server with ViRobot Linux Server... but be sure to chmod -s everything in sight. There are several potential suids to abuse... some have local overflows that may or may not be exploitable I honestly only checked a few since most are run as cgi scripts (more fun later?). ./vrupdate ./cgi-bin/addexceptdir ./cgi-bin/addschscan ./cgi-bin/addschup ./cgi-bin/addtargetdir ./cgi-bin/applyadmin ./cgi-bin/applybackuplog ./cgi-bin/applyfilescan ./cgi-bin/bottom ./cgi-bin/deletelog ./cgi-bin/delschscan ./cgi-bin/delschup ./cgi-bin/filescan ./cgi-bin/frame ./cgi-bin/help ./cgi-bin/help1 ./cgi-bin/help2 ./cgi-bin/login ./cgi-bin/main ./cgi-bin/menu ./cgi-bin/menu2 ./cgi-bin/menu3 ./cgi-bin/menu4 ./cgi-bin/menu5 ./cgi-bin/menu6 ./cgi-bin/rmdir ./cgi-bin/schscan ./cgi-bin/schupdate ./cgi-bin/setadmin ./cgi-bin/setbackuplog ./cgi-bin/setfilescan ./cgi-bin/setupdate ./cgi-bin/top ./cgi-bin/update ./cgi-bin/ver_info ./cgi-bin/viewfilelog ./cgi-bin/viewupdatelog ./cgi-bin/virobot ./cgi-bin/vrupdate ./cgi-bin/warningmessage ./cgi-bin/webvrscan [kf@vegeta kf]$ ln -s /usr/local/ViRobot/cgi-bin/virobot virobot [kf@vegeta kf]$ ./ex_virobot ViRobot Linux Server Local root exploit BY: Dvdman@l33tsecurity.com BUG FOUND BY: KF@SNOSOFT.COM TERM environment variable not set. ------------------------------------------------------------------------------- ViRobot Linux Server ( Heuristic & Feature detection ) 10 May 2002 Korea Copyright (c) 1998-2003 HAURI Inc. All rights reserved E-mail : support@hauri.net Version 2.0 ------------------------------------------------------------------------------- Usage : virobot [