lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20090310151310.5744@smtp.ceilers-it.de>
Date: Tue, 10 Mar 2009 16:13:10 +0100
From: "Carsten Eilers" <advisories@...lers-it.de>
To: <full-disclosure@...ts.grok.org.uk>, <vuln@...unia.com>,
	<bugtraq@...urityfocus.com>
Subject: Multiple Vulnerabilities in iAntiVirus

Title
Multiple Vulnerabilities in iAntiVirus 

Program
PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/ 

Tested version
1.35, Engine Version 1.0.0.10 

tested on german Mac OS X 10.5 with following preferences: 
- Scan inside archives ON 
- Scan mode NORMAL 
- Heuristics NORMAL 

Description
1. No scan in .sit- and .dmg-archives 

   The scan-function and the online-scanner OnGuard doesn't
   scan .sit- and .dmg-archives.
  
   Impact: 
   It's possible to download malware from the internet or
   to copy it from an usb-stick without interruption from
   iAntiVirus.  
   Malware in .sit-archives is recognized by OnGuard during
   manuel decompression, but malware in .dmg-diskimages is
   only recognized during a manual scan of the mounted image.  
   It's possible to run malware from the mounted diskimage
   (tested with MacSmurf, which iAntiVirus recognizes as
   'Hacktool.OSX.MacSmurf')

2. Problems with special chars in filenames 

   The scanner, OnGuard and the quarantine-management are 
   unable to work with files with several special chars in
   it, for example ?, which is transformed to Æ.
   
   Impact: 
   False-positives are lost, since it's impossible to restore
   them. Perhaps it's possible to evade the virus-protection.

3. No user-restrictions in the quarantine-management 

   All quarantined files are managed in the same area. Every
   user can restore the files of every other user, included
   the admin
   
   Impact: 
   A normal user can restore quarantined malware in other 
   accounts, tested with the iWorks-Trojan, which was 
   installed by the admin and restored by a normal user.
   Additional, the history-function contains no information
   about the user which performs an action and can erased by
   every user.

4. OnGuard does only protect one user (or perhaps a few more) 
   If OnGuard is on and another user logs in, it seems as if
   OnGuard is off. If he copies some malware on the system,
   this disappears without any warning: OnGuard is active and
   moves the files in the quarantine, but doesn't inform the
   user about this. If the first user is an admin, this seems
   to work for every normal user. If the first user is a normal
   user, it sometimes works for the admin as second user, but
   not every time.

5. Ignorance of file-permissions 

   Every normal user can start a "normal scan", which includes
   the system-, library- an program-folders and the folders of
   every user.

Solution
None 

Credits
Carsten Eilers 

Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html 
(also as german version) 


Regards
  Carsten Eilers



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ