lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 17:16:29 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: denial-of-service vulnerability in the Microsoft
	Malicious Software Removal Tool

denial-of-service vulnerability in the Microsoft Malicious Software 
Removal Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used 
to remove malware from infected Windows systems.  However, MRT does 
not always correctly repair the system.  In at least one case, the 
changes made by MRT can render the system unbootable (log below).  
Repair can be time-consuming and expensive, particularly as the error 
messages and log files of the software concerned are cryptic and 
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these 
changes to the system may be made without the knowledge of an 
Administrator (or even the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting 
stuff willy-nilly.

Recommendations:

1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:

None.

Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 21:24:47 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
    driver://NDIS
    file://C:\WINDOWS\system32\drivers\NDIS.sys
        SigSeq: 0x00008A78910FD971
        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
    
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
    
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
    service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for 
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for 
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !


Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be 
restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 
18 21:31:29 2010


Return code: 10 (0xa)


---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists