Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug
From: Bipin Gautam <visitbipin@xxxxxxxxxxx>
Date: 5 Oct 2004 13:54:17 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug.

Affected Product (Only tested on...):

Mcafee Virus Scan professional (8.0.0.12)
Norton Antivirus 2003
Kaspersky 4.5x
Ad-Aware (6.0.1.181)
The Cleaner

Risk Level: Medium


Description:
------------

A malicious code can reside in a computer (with users privilege) bypassing 
"manual scans" of any Antivirus, Trojan & Spy ware scanners by simply issuing 
this command to itself.

cacls.exe hUNT.exe /T /C /P dumb_user:R

If "only execute" permission is set some AV auto-protect engine will also fail 
t stop a malicious code execution....By this way... any software?s with even 
Admin. privilege can't access this file (hUNT.exe) normally because the only 
person who has normal access to this file is "dumb_user"

If the scanner is unable to access the file that is under the security content 
of "dumb_user"... the auto-protect engine will also fail to stop a malicious 
code from executing. Mostly, a user's HOME directory *only accessible* by the 
by the particular user... cauz mostly* permission is set in a way he/she is 
only the owner of that directory. In that case, if a malicious code gets copied 
in desktop (inside home directory, or the directory that's only* accessible by 
the user) the auto-protect engine will also fail to stop a malicious code 
execution.

3APA3A (3APA3A[at]SECURITY.NNOV.RU] pointed out another interesting issue...
You still can bypass antiviral protection for manual scans with file encryption 
(on-access scanners may impersonate accessing user). This time file can only be 
scanned by administrator if administrator is recovery agent.

In manual scan... the scanner runs under the security content of Administrator 
who is responsible for scanning the system.... hence the virus goes unnoticed 
due to NTFS file permission restriction. But, if the Auto-Protect engine loads 
as a kernel driver, the virus gets stopped in the way during execution. But 
many trojan, spyware scanner just run with the Administrative privilege, so its 
a ISSUE for all those products.

Please follow the procedure & confirm if other antivirus products are 
vulnerable as well.

No wonder, there are several false assumptions in windows security 
configuration as well, when a JOE administrator could permanently lock himself 
up in his own machine.

regards,
Bipin Gautam
http://www.geocities.com/visitbipin/

 

Disclaimer: The information in the advisory is believed to be accurate at the 
time of printing based on currently available information. Use of the 
information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the 
publisher accepts any liability for any direct, indirect or consequential loss 
or damage arising from use of, or reliance on this information.

Prev by Date: Re: EEYE: RealPlayer pnen3260.dll Heap Overflow
Next by Date: Re: Full path disclosure in PHP Links
Previous by thread: SUSE Security Announcement: samba (SUSE-SA:2004:035)
Next by thread: Test your windows OS
Index(es):
- Date
- Thread