[TZO-062006] Safe'nVulnerable

To: bugtraq@xxxxxxxxxxxxxxxxx, support@xxxxxxxxxxx, news@xxxxxxxxxxxxxx, <Russ.Cooper@xxxxxxxx>, <submission@xxxxxxxxxxxxxxxxxxxxxxx>, <news@xxxxxxxx>
Subject: [TZO-062006] Safe'nVulnerable
From: Thierry Zoller <Thierry@xxxxxxxxx>
Date: Mon, 20 Feb 2006 00:40:41 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Kachkeis Liebhaber CoKG
Reply-to: Thierry Zoller <Thierry@xxxxxxxxx>

_______________________________________________________________________

       Safe'nSec - Insecure File execution and Auto-startup
_______________________________________________________________________


Ref     : TZO-062006-SafenSec
Author  : Thierry Zoller 
WWW     : http://secdev.zoller.lu
Article : http://secdev.zoller.lu/research/safensec.htm


I. Background
~~~~~~~~~~~~~

"Safe'n'Sec is complex data and user applications protection against
threats and vulnerabilities for individual PC as well as workstations 
in corporate networks. The program uses proactive technology based on
activity analysis in user PC."

II. Description
~~~~~~~~~~~~~~~

Vulnerable versions :
- Safe'nSec Personal + Antispyware v2.0 and older
- Probably the other versions of Safe'nSec

Multiple Insecure File execution and Autostart handling.

During Startup, 
~~~~~~~~~~~~~~~
snsmcon.exe spawns the GUI process named safensec.exe through the use 
of CreateProcess() . By doing so it omits to set the 
variable'lpApplicationName' 
and further omits to quote the path in the variable "lpCommandLine" Ref [1]

This results in c:\program.bat|exe|com being called prior to
safensec.exe and allows automatic startup of a potentially rogue application.
In particular one could imagine a scenario where it is possible to escalate
rights using this (as they are inherited from snsmcon.exe).

During Autostartup
~~~~~~~~~~~~~~~~~~
Safe'nSec omits the quotes around the path to the
executable and as such may spawn a rogue application instead of the 
appropriate Starforce application.


During Installation:
~~~~~~~~~~~~~~~~~~~~
During installion a routine spawns a process and omits the quotes 
around the path, thus executing c:\program.exe (here calc.exe) 


III. Summary
~~~~~~~~~~~~~~~

Vendor contact : 15/02/2006
Vendor Response : None

Vendor Response : 
None

[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] Only a real issue in Windows 2000, WinXP restricted users don't have the 
right to write to c:\



-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

Prev by Date: Re: First WMF mass mailer ItW (phishing Trojan)
Next by Date: [eVuln] Time Tracking Software Multiple Vulnerabilities
Previous by thread: Secunia Research: NJStar Word Processor Font Name Buffer Overflow
Next by thread: [eVuln] Time Tracking Software Multiple Vulnerabilities
Index(es):
- Date
- Thread