lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 12:03:36 -0700
From: "Thor (Hammer Of God)" <thor@...merofgod.com>
To: webDEViL <w3bd3vil@...il.com>
Cc: "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>
Subject: Re: denial-of-service vulnerability in the
	Microsoft Malicious Software Removal Tool

Of course it doesn't.  It just shows how stupid some companies are.



On May 23, 2010, at 11:27 AM, webDEViL <w3bd3vil@...il.com> wrote:

> All said and done, that doesn't make it a vulnerability.
>
> On Sun, May 23, 2010 at 11:47 PM, lsi <stuart@...erdelix.net> wrote:
> On 23 May 2010 at 16:34, Thor (Hammer of God) wrote:
>
> From:                   "Thor (Hammer of God)" <Thor@...merofgod.com>
> To:                     "full-disclosure@...ts.grok.org.uk" <full-
> disclosure@...ts.grok.org.uk>
> Date sent:              Sun, 23 May 2010 16:34:24 +0000
> Subject:                Re: [Full-disclosure] denial-of-service
> vulnerability in the
>        Microsoft       Malicious Software Removal Tool
>
> > And where's the part where the system was rendered unbootable?
>
> The unbootable part comes when you replace NDIS.SYS.  Unless you know
> to replace the registry keys first, which is certainly not obvious
> from the MRT log.
>
> > And how did your users get infected with Cutwail?  Let me guess...
> > they are all still running XP and you've got them running as local
> > administrators right?  And they get to download codecs "willy nilly"
> > and are probably using Bittorrent to get illegal copies of software
> > pre-infected with cutwail, right?
>
> How do I know how they got infected?  These are all third-party
> companies (my customers), sometimes when they have cash problems,
> they don't call me, they try and do it themselves, or do nothing. I
> might not see them for months. They don't want to upgrade - they
> heard about Vista (LOL) and they don't have, or don't want to spend
> the money.
>
> This is reality, not some managed datacentre in Redmond.
>
> > local administrators
>
> Their apps needed it last I checked.  I didn't set up their machines.
> They have not asked me to look at that.  I have enough trouble
> getting work OK'd without putting my neck on the line suggesting a
> configuration change which I cannot guarantee will not cause
> instability, particularly with their legacy and unsupported software,
> of which there is plenty.
>
> Again, this is reality, not some managed datacentre in Redmond.
>
> > Bittorrent
>
> No, like this:
>
> "Stuart, need your help. My computer has a virus. Yesterday night I
> opened an email that I was expecting from a Bernice. It turned out
> that it was the wrong Bernice and it was a virus. It loaded Security
> Essentials 2010 which is a scarevirus to make the user believe that
> there are virus a pay for their software which does nothing anyway.
> It  has loaded a virus in the registry file. There is a lot about it
> on  the net. I then found a PC tools download to remove. However when
> I  turned mycomputer off it does not now allow me to log on. I have
> turned it off. I am without a PC now. Can you come tomorrow to
> resolve  it for me? Many thanks. Please let me know ad I need it
> urgently."
>
> > Regardless, let's see if we have your advisory correct.  In order to
> > be a victim of this "Denial of Service Vulnerability" we must first
> > get infected with something like Cutwail
>
> true
>
> > that runs with user interaction
>
> false.  Cutwail has no known infection vectors.  However, Cutwail is
> just an example.
>
> > interaction and also requires administrator privileges (you can see
> > that NDIS.SYS was altered).
>
> When I am logged in as Admin and try to replace NDIS.SYS, Windows
> File Protection replaces it.  Why did WFP fail to protect the file
> against Cutwail in the first place, and how can a virus replace
> NDIS.SYS using Administrative privs, if I cannot do it myself when
> Administrator?
>
> > Of course, your AV must be at least 2 years old too.
>
> false, it was up-to-date, although I am questioning its effectiveness
>
> >  Then, once we get infected with malware, we run MRT,
> > and see in the logs that it was successfully removed and requires a
> > reboot.
>
> Actually, AV found the virus in NDIS.SYS but could not remove it.  So
> I ran MRT because I thought that a Microsoft product would know this
> is a Windows file that cannot simply be deleted.  MRT says it's done
> and needs reboot, so I reboot... and the system is toast.
>
> To clarify, in this particular case, the first reboot, you can login
> in normal mode, but cannot use any network adapters (code 39 - driver
> corrupted or missing).  Reinstalling the drivers doesn't help.  So
> then you think, oh that's because NDIS was trashed by MRT, so I'll
> just replace NDIS.SYS....
>
> And thats when you get the BSOD on boot to normal mode.  So then you
> need to figure out that the cause of that BSOD is a missing registry
> key, then you need to figure out which keys (there are three, for
> each controlset), then you need to get the correct keys from a clean
> machine, then you need to figure out how to replace the keys (some of
> them cannot be imported with mere Administrative permissions).
>
> However, just last week I also fixed a problem with the userinit
> registry key, also mysteriously deleted - why would a virus trash its
> host?  Answer: it doesn't, I think it was MRT that trashed it.  A
> missing userinit key means instant logoff on logon, even in safe mode
> as Administrator.  I might be able to dig up the MRT log for that
> machine (would be interesting to see whether it was in fact MRT that
> did it).  Want to place bets now?
>
> >From a quick look at the web, MRT has also in the past deleted
> Internet Explorer (iexplore.exe).  Oh, the poetry....
>
> The point of my mail was that anyone can innocently run MRT and it
> may trash their box.  This is due to one or more design flaws in the
> MRT, and in Windows itself.  Are you saying I should just sit on this
> info?  If someone had told me MRT was going to trash my customer's
> machine, I would not have wasted most of last week fixing it.
>
> Stu
>
> > >-----Original Message-----
> > >From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full- 
> disclosure-
> > >bounces@...ts.grok.org.uk] On Behalf Of lsi
> > >Sent: Sunday, May 23, 2010 9:16 AM
> > >To: full-disclosure@...ts.grok.org.uk
> > >Subject: [Full-disclosure] denial-of-service vulnerability in the  
> Microsoft
> > >Malicious Software Removal Tool
> > >
> > >denial-of-service vulnerability in the Microsoft Malicious  
> Software Removal
> > >Tool
> > >
> > >platforms affected: Windows
> > >distribution: wide
> > >severity: high
> > >
> > >Description of the vulnerability:
> > >
> > >The Microsoft Malicious Software Removal Tool (MRT) is a program  
> used to
> > >remove malware from infected Windows systems.  However, MRT does  
> not
> > >always correctly repair the system.  In at least one case, the  
> changes made by
> > >MRT can render the system unbootable (log below).
> > >Repair can be time-consuming and expensive, particularly as the  
> error
> > >messages and log files of the software concerned are cryptic and
> > >uninformative, or non-existent.
> > >
> > >As MRT runs automatically in the background once a month, these  
> changes to
> > >the system may be made without the knowledge of an Administrator  
> (or even
> > >the user).
> > >
> > >Suspected cause:
> > >
> > >Missing logic in MRT to repair the system, rather than just  
> deleting stuff willy-
> > >nilly.
> > >
> > >Recommendations:
> > >
> > >1. Do not run MRT manually.
> > >
> > >2. Disable MRT if possible, especially on mission-critical  
> machines.
> > >
> > >3. Do not use Windows.
> > >
> > >Details of notification to vendor:
> > >
> > >None.
> > >
> > >Sample of the fault:
> > >
> > >Microsoft Windows Malicious Software Removal Tool v3.7, May 2010  
> Started
> > >On Tue May 18 21:24:47 2010
> > >
> > >Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
> > >----------------
> > >Threat detected: VirTool:WinNT/Cutwail.L
> > >    driver://NDIS
> > >    file://C:\WINDOWS\system32\drivers\NDIS.sys
> > >        SigSeq: 0x00008A78910FD971
> > >        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
> > >
> > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > >ORK\NDIS
> > >
> > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > >WORK\NDIS
> > >    service://NDIS
> > >
> > >Quick Scan Removal Results
> > >----------------
> > >Start 'remove' for
> > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > >ORK\NDIS
> > >Operation succeeded !
> > >
> > >Start 'remove' for service://NDIS
> > >Operation was scheduled to be completed after next reboot.
> > >
> > >Start 'remove' for
> > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > >WORK\NDIS
> > >Operation succeeded !
> > >
> > >Start 'remove' for driver://NDIS
> > >Operation was scheduled to be completed after next reboot.
> > >
> > >Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
> > >Operation succeeded !
> > >
> > >
> > >Results Summary:
> > >----------------
> > >For cleaning VirTool:WinNT/Cutwail.L, the system needs to be  
> restarted.
> > >Microsoft Windows Malicious Software Removal Tool Finished On Tue  
> May
> > >18 21:31:29 2010
> > >
> > >
> > >Return code: 10 (0xa)
>
>
>
> ---
> Stuart Udall
> stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists