lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1409631118.20041002115253@SECURITY.NNOV.RU>
From: 3APA3A at SECURITY.NNOV.RU (3APA3A)
Subject: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

Dear bipin gautam,

Your statements about "all antivirus" and "design fault" are wrong, it's
strongly  depend  on  the way manual scanning is implemented in specific
product.

1.  many  antiviral products implement their own kernel driver to access
scanned file. For this case permissions have no impact for scanning.

2.  many  antiviral  products  use  their own daemon, running as SYSTEM,
scanner   use   this   daemon   to  access  files.  Daemon  may  acquire
SeBackupPrivilege.  With  backup  privilege daemon can bypass ACLs. Same
goes to scan with administrator's account.

You  still  can  bypass  antiviral protection for manual scans with file
encryption  (on-access  scanners  may  impersonate accessing user). This
time  file  can  only  be  scanned  by administrator if administrator is
recovery agent.

--Saturday, October 2, 2004, 6:37:35 AM, you wrote to full-disclosure@...ts.netsys.com:

bg> All Antivirus, Trojan, Spy ware scanner, Nested file
bg> manual scan bypass bugs. [Part IV]

bg> Risk Level: Medium
bg> Affected Product: (Should be) all Antivirus, Trojan,
bg> Spy ware scanners for windows.

bg> Description:
bg> ------------

bg> A malicious code can reside in a computer (with users
bg> privilage) bypassing "manual scans" of any
bg> Antivirus, Trojan & Spy ware scanners by simply
bg> issuing this command to itself.

bg> cacls hUNT.exe /T /C /P dumb_user:R

bg> ...this is only due to the design fault in Microsoft
bg> Windows, the way it handles NTFS permission.By this
bg> way... any software?s with even Admin./SYSTEM
bg> privilege can't access this file (hUNT.exe) normally
bg> because the only person who has normal access to this
bg> file is "dumb_user"

bg> No wonder, there are several false assumptions in
bg> windows security configuration as well, when a JOE
bg> administrator could permenantly lock himself up in his
bg> own machine.

bg> regards,
bg> Bipin Gautam
bg> http://www.geocities.com/visitbipin
 

 

bg> Disclaimer: The information in the advisory is
bg> believed to be accurate at the time of printing based
bg> on currently available information. Use of the
bg> information constitutes acceptance for use in an AS IS
bg> condition. There are no warranties with regard to this
bg> information. Neither the author nor the publisher
bg> accepts any liability for any direct, indirect or
bg> consequential loss or damage arising from use of, or
bg> reliance on this information.


		
bg> __________________________________
bg> Do you Yahoo!?
bg> Yahoo! Mail Address AutoComplete - You start. We finish.
bg> http://promotions.yahoo.com/new_mail 

bg> _______________________________________________
bg> Full-Disclosure - We believe in it.
bg> Charter: http://lists.netsys.com/full-disclosure-charter.html


-- 
~/ZARAZA
???????????? ???????? ? ??????.  (????)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ